]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit - drivers/net/xen-netfront.c
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 33b9b25) | patch
xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()
authorJan Beulich <jbeulich@suse.com>
Fri, 1 Jul 2022 07:57:19 +0000 (09:57 +0200)
committerStefan Bader <stefan.bader@canonical.com>
Fri, 26 Aug 2022 08:54:24 +0000 (10:54 +0200)
commit24d76a00f683e0bd16d7eac76d33ea1846f73e7d
treefbe19fe33b7f1aaee5f384eec0ad6fdb08fe8710tree
parent33b9b255b7092c5c7372aa70b53d3ae7e9c1277acommit | diff
xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()

BugLink: https://bugs.launchpad.net/bugs/1986728
commit f63c2c2032c2e3caad9add3b82cc6e91c376fd26 upstream.

The commit referenced below moved the invocation past the "next" label,
without any explanation. In fact this allows misbehaving backends undue
control over the domain the frontend runs in, as earlier detected errors
require the skb to not be freed (it may be retained for later processing
via xennet_move_rx_slot(), or it may simply be unsafe to have it freed).

This is CVE-2022-33743 / XSA-405.

Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
drivers/net/xen-netfront.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror