Skip to content

Commit facb573

Browse files
jgross1David Vrabel
jgross1
authored and
David Vrabel
committed
xen-scsiback: mark pvscsi frontend request consumed only after last read
A request in the ring buffer mustn't be read after it has been marked as consumed. Otherwise it might already have been reused by the frontend without violating the ring protocol. To avoid inconsistencies in the backend only work on a private copy of the request. This will ensure a malicious guest not being able to bypass consistency checks of the backend by modifying an active request. Signed-off-by: Juergen Gross <jgross@suse.com> Cc: <stable@vger.kernel.org> Signed-off-by: David Vrabel <david.vrabel@citrix.com>
1 parent fdfd811 commit facb573

File tree

1 file changed

+6
-8
lines changed

1 file changed

+6
-8
lines changed

drivers/xen/xen-scsiback.c

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -709,12 +709,11 @@ static int prepare_pending_reqs(struct vscsibk_info *info,
709709
static int scsiback_do_cmd_fn(struct vscsibk_info *info)
710710
{
711711
struct vscsiif_back_ring *ring = &info->ring;
712-
struct vscsiif_request *ring_req;
712+
struct vscsiif_request ring_req;
713713
struct vscsibk_pend *pending_req;
714714
RING_IDX rc, rp;
715715
int err, more_to_do;
716716
uint32_t result;
717-
uint8_t act;
718717

719718
rc = ring->req_cons;
720719
rp = ring->sring->req_prod;
@@ -735,11 +734,10 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info)
735734
if (!pending_req)
736735
return 1;
737736

738-
ring_req = RING_GET_REQUEST(ring, rc);
737+
ring_req = *RING_GET_REQUEST(ring, rc);
739738
ring->req_cons = ++rc;
740739

741-
act = ring_req->act;
742-
err = prepare_pending_reqs(info, ring_req, pending_req);
740+
err = prepare_pending_reqs(info, &ring_req, pending_req);
743741
if (err) {
744742
switch (err) {
745743
case -ENODEV:
@@ -755,9 +753,9 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info)
755753
return 1;
756754
}
757755

758-
switch (act) {
756+
switch (ring_req.act) {
759757
case VSCSIIF_ACT_SCSI_CDB:
760-
if (scsiback_gnttab_data_map(ring_req, pending_req)) {
758+
if (scsiback_gnttab_data_map(&ring_req, pending_req)) {
761759
scsiback_fast_flush_area(pending_req);
762760
scsiback_do_resp_with_sense(NULL,
763761
DRIVER_ERROR << 24, 0, pending_req);
@@ -768,7 +766,7 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info)
768766
break;
769767
case VSCSIIF_ACT_SCSI_ABORT:
770768
scsiback_device_action(pending_req, TMR_ABORT_TASK,
771-
ring_req->ref_rqid);
769+
ring_req.ref_rqid);
772770
break;
773771
case VSCSIIF_ACT_SCSI_RESET:
774772
scsiback_device_action(pending_req, TMR_LUN_RESET, 0);

0 commit comments

Comments
 (0)