summaryrefslogtreecommitdiff
path: root/drivers/input
diff options
context:
space:
mode:
authorJuergen Gross <jgross@suse.com>2022-02-25 18:05:43 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2022-03-11 12:03:33 +0300
commitae6f8a67b98144827e78874c8dba41cccb02be5b (patch)
tree5a095937a07106f6c763b692bc97edd7e823f195 /drivers/input
parent9ebaa18cf706712d475f679410d12ef423580bfc (diff)
downloadlinux-ae6f8a67b98144827e78874c8dba41cccb02be5b.tar.xz
xen/gnttab: fix gnttab_end_foreign_access() without page specified
Commit 42baefac638f06314298087394b982ead9ec444b upstream. gnttab_end_foreign_access() is used to free a grant reference and optionally to free the associated page. In case the grant is still in use by the other side processing is being deferred. This leads to a problem in case no page to be freed is specified by the caller: the caller doesn't know that the page is still mapped by the other side and thus should not be used for other purposes. The correct way to handle this situation is to take an additional reference to the granted page in case handling is being deferred and to drop that reference when the grant reference could be freed finally. This requires that there are no users of gnttab_end_foreign_access() left directly repurposing the granted page after the call, as this might result in clobbered data or information leaks via the not yet freed grant reference. This is part of CVE-2022-23041 / XSA-396. Reported-by: Simon Gaiser <simon@invisiblethingslab.com> Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/input')
0 files changed, 0 insertions, 0 deletions