[cbr79] Multiple Xen VULNS #242
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-1437 cve CVE-2022-26365 commit-author Roger Pau Monne <[email protected]> commit 2f446ff upstream-diff One of the alloc_page calls has not been switched to GFP_KERNEL yet, so __GFP_ZERO is or'd with GFP_NOIO instead When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-26365, part of XSA-403. Signed-off-by: Roger Pau Monné <[email protected]> Reviewed-by: Jan Beulich <[email protected]> Reviewed-by: Juergen Gross <[email protected]> Signed-off-by: Juergen Gross <[email protected]> (cherry picked from commit 2f446ff) Signed-off-by: Brett Mastbergen <[email protected]>
jira VULN-1438 cve CVE-2022-33740 commit-author Roger Pau Monne <[email protected]> commit 307c8de upstream-diff This kernel hasn't switched to page_pool_dev_alloc_pages so we are simply adding __GFP_ZERO to the existing alloc_page call. When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-33740, part of XSA-403. Signed-off-by: Roger Pau Monné <[email protected]> Reviewed-by: Jan Beulich <[email protected]> Reviewed-by: Juergen Gross <[email protected]> Signed-off-by: Juergen Gross <[email protected]> (cherry picked from commit 307c8de) Signed-off-by: Brett Mastbergen <[email protected]>
jira VULN-1439 cve-prereq CVE-2022-33741 commit-author Juergen Gross <[email protected]> commit 9c53a17 There are multiple instances of code reading an optional unsigned parameter from Xenstore via xenbus_scanf(). Instead of repeating the same code over and over add a service function doing the job. Signed-off-by: Juergen Gross <[email protected]> Reviewed-by: David Vrabel <[email protected]> (cherry picked from commit 9c53a17) Signed-off-by: Brett Mastbergen <[email protected]>
jira VULN-1439 cve-prereq CVE-2022-33741 commit-author Ilya Lesokhin <[email protected]> commit 08303c1 copy_skb_header is renamed to skb_copy_header and exported. Exposing this function give more flexibility in copying SKBs. skb_copy and skb_copy_expand do not give enough control over which parts are copied. Signed-off-by: Ilya Lesokhin <[email protected]> Signed-off-by: Boris Pismenny <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 08303c1) Signed-off-by: Brett Mastbergen <[email protected]>
jira VULN-1439 cve CVE-2022-33741 commit-author Roger Pau Monne <[email protected]> commit 4491001 upstream-diff Some merge conflicts were fixed up mainly due to the fact that this version of the driver does not have xdp support. The content of the added code itself is identical to the upstream change with the exception of PAGE_SIZE replacing XEN_PAGE_SIZE. In this kernel there is no difference between the two where as in future kernels the ARM kernel page size might be 64k while the xen page size stays 4k. Bounce all data on the skbs to be transmitted into zeroed pages if the backend is untrusted. This avoids leaking data present in the pages shared with the backend but not part of the skb fragments. This requires introducing a new helper in order to allocate skbs with a size multiple of XEN_PAGE_SIZE so we don't leak contiguous data on the granted pages. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33741, part of XSA-403. Signed-off-by: Roger Pau Monné <[email protected]> Reviewed-by: Juergen Gross <[email protected]> Signed-off-by: Juergen Gross <[email protected]> (cherry picked from commit 4491001) Signed-off-by: Brett Mastbergen <[email protected]>
jira VULN-1039 cve CVE-2022-33742 commit-author Roger Pau Monne <[email protected]> commit 2400617 upstream-diff There were a lot of merge conflicts with this change as the upstream version of this file has had a lot of development. Still there is pretty much a 1:1 mapping of the changes against the upstream and the changes against this kernel Split the current bounce buffering logic used with persistent grants into it's own option, and allow enabling it independently of persistent grants. This allows to reuse the same code paths to perform the bounce buffering required to avoid leaking contiguous data in shared pages not part of the request fragments. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33742, part of XSA-403. Signed-off-by: Roger Pau Monné <[email protected]> Reviewed-by: Juergen Gross <[email protected]> Signed-off-by: Juergen Gross <[email protected]> (cherry picked from commit 2400617) Signed-off-by: Brett Mastbergen <[email protected]>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <[email protected]> commit cd13c91 Add a big batch of test coverage to assert all aspects of the tcx opts attach, detach and query API: # ./vmtest.sh -- ./test_progs -t tc_opts [...] ctrliq#238 tc_opts_after:OK ctrliq#239 tc_opts_append:OK ctrliq#240 tc_opts_basic:OK ctrliq#241 tc_opts_before:OK ctrliq#242 tc_opts_chain_classic:OK ctrliq#243 tc_opts_demixed:OK ctrliq#244 tc_opts_detach:OK ctrliq#245 tc_opts_detach_after:OK ctrliq#246 tc_opts_detach_before:OK ctrliq#247 tc_opts_dev_cleanup:OK ctrliq#248 tc_opts_invalid:OK ctrliq#249 tc_opts_mixed:OK ctrliq#250 tc_opts_prepend:OK ctrliq#251 tc_opts_replace:OK ctrliq#252 tc_opts_revision:OK Summary: 15/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]> (cherry picked from commit cd13c91) Signed-off-by: Jonathan Maple <[email protected]>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <[email protected]> commit ccd9a8b Add several new tcx test cases to improve test coverage. This also includes a few new tests with ingress instead of clsact qdisc, to cover the fix from commit dc644b5 ("tcx: Fix splat in ingress_destroy upon tcx_entry_free"). # ./test_progs -t tc [...] ctrliq#234 tc_links_after:OK ctrliq#235 tc_links_append:OK ctrliq#236 tc_links_basic:OK ctrliq#237 tc_links_before:OK ctrliq#238 tc_links_chain_classic:OK ctrliq#239 tc_links_chain_mixed:OK ctrliq#240 tc_links_dev_cleanup:OK ctrliq#241 tc_links_dev_mixed:OK ctrliq#242 tc_links_ingress:OK ctrliq#243 tc_links_invalid:OK ctrliq#244 tc_links_prepend:OK ctrliq#245 tc_links_replace:OK ctrliq#246 tc_links_revision:OK ctrliq#247 tc_opts_after:OK ctrliq#248 tc_opts_append:OK ctrliq#249 tc_opts_basic:OK ctrliq#250 tc_opts_before:OK ctrliq#251 tc_opts_chain_classic:OK ctrliq#252 tc_opts_chain_mixed:OK ctrliq#253 tc_opts_delete_empty:OK ctrliq#254 tc_opts_demixed:OK ctrliq#255 tc_opts_detach:OK ctrliq#256 tc_opts_detach_after:OK ctrliq#257 tc_opts_detach_before:OK ctrliq#258 tc_opts_dev_cleanup:OK ctrliq#259 tc_opts_invalid:OK ctrliq#260 tc_opts_mixed:OK ctrliq#261 tc_opts_prepend:OK ctrliq#262 tc_opts_replace:OK ctrliq#263 tc_opts_revision:OK [...] Summary: 44/38 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]> Link: https://lore.kernel.org/r/8699efc284b75ccdc51ddf7062fa2370330dc6c0.1692029283.git.daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <[email protected]> (cherry picked from commit ccd9a8b) Signed-off-by: Jonathan Maple <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is four CVE fixes all dealing with Xen and somewhat related, so I've batched them up into a single PR. It ended up being six commits because I picked up two prereq commits to make the backporting for VULN-1439 and VULN-1039 cleaner. Both of the prereqs are adding helper functions used by the CVE fixes.
All four of the backported CVE fixes have upstream diffs. The first two were simple. The other two were a bit more involved so definitely give them a good look. There are no Xen selftests in 3.10 and I'm not very familiar with it, so if you think there is any specific testing we can do please let me know.
VULNs
VULN-1437
VULN-1438
VULN-1439
VULN-1039
CVEs
CVE-2022-26365
CVE-2022-33740
CVE-2022-33741
CVE-2022-33742
Build log
Testing
The very limited number of selftests were run before and after the CVE fixes were applied
selftest-3.10.0-1160.119.1.el7_9.ciqcbr.3.1.x86_64.log
selftest-3.10.0-bmastbergen_ciqcbr7_9_xen-vulns-4944724+.log