[thirdparty/kernel/stable-queue.git] / releases / 4.4.103 / xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch

From foo@baz Tue Nov 28 10:56:34 CET 2017
From: Juergen Gross <jgross@suse.com>
Date: Thu, 22 Dec 2016 08:19:46 +0100
Subject: xen: xenbus driver must not accept invalid transaction ids

From: Juergen Gross <jgross@suse.com>


[ Upstream commit 639b08810d6ad74ded2c5f6e233c4fcb9d147168 ]

When accessing Xenstore in a transaction the user is specifying a
transaction id which he normally obtained from Xenstore when starting
the transaction. Xenstore is validating a transaction id against all
known transaction ids of the connection the request came in. As all
requests of a domain not being the one where Xenstore lives share
one connection, validation of transaction ids of different users of
Xenstore in that domain should be done by the kernel of that domain
being the multiplexer between the Xenstore users in that domain and
Xenstore.

In order to prohibit one Xenstore user "hijacking" a transaction from
another user the xenbus driver has to verify a given transaction id
against all known transaction ids of the user before forwarding it to
Xenstore.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/xen/xenbus/xenbus_dev_frontend.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi
 			rc = -ENOMEM;
 			goto out;
 		}
-	} else if (msg_type == XS_TRANSACTION_END) {
+	} else if (u->u.msg.tx_id != 0) {
 		list_for_each_entry(trans, &u->transactions, list)
 			if (trans->handle.id == u->u.msg.tx_id)
 				break;
Commit	Line	Data
18a2513c GKH	1	From foo@baz Tue Nov 28 10:56:34 CET 2017
	2	From: Juergen Gross <jgross@suse.com>
	3	Date: Thu, 22 Dec 2016 08:19:46 +0100
	4	Subject: xen: xenbus driver must not accept invalid transaction ids
	5
	6	From: Juergen Gross <jgross@suse.com>
	7
	8
	9	[ Upstream commit 639b08810d6ad74ded2c5f6e233c4fcb9d147168 ]
	10
	11	When accessing Xenstore in a transaction the user is specifying a
	12	transaction id which he normally obtained from Xenstore when starting
	13	the transaction. Xenstore is validating a transaction id against all
	14	known transaction ids of the connection the request came in. As all
	15	requests of a domain not being the one where Xenstore lives share
	16	one connection, validation of transaction ids of different users of
	17	Xenstore in that domain should be done by the kernel of that domain
	18	being the multiplexer between the Xenstore users in that domain and
	19	Xenstore.
	20
	21	In order to prohibit one Xenstore user "hijacking" a transaction from
	22	another user the xenbus driver has to verify a given transaction id
	23	against all known transaction ids of the user before forwarding it to
	24	Xenstore.
	25
	26	Signed-off-by: Juergen Gross <jgross@suse.com>
	27	Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
	28	Signed-off-by: Juergen Gross <jgross@suse.com>
	29	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
	30	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	31	---
	32	drivers/xen/xenbus/xenbus_dev_frontend.c \| 2 +-
	33	1 file changed, 1 insertion(+), 1 deletion(-)
	34
	35	--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
	36	+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
	37	@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi
	38	rc = -ENOMEM;
	39	goto out;
	40	}
	41	- } else if (msg_type == XS_TRANSACTION_END) {
	42	+ } else if (u->u.msg.tx_id != 0) {
	43	list_for_each_entry(trans, &u->transactions, list)
	44	if (trans->handle.id == u->u.msg.tx_id)
	45	break;