From ad92161e511c4751cef8a8fe854d0e7a4f732894 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 1 Sep 2023 04:36:54 +0200 Subject: [PATCH] Revert "Apply XSA-432 fix" Patch included upstream already. This reverts commit 8214e1ffa0e1bf21255b1856f13ccdc6e45e4f86. --- kernel.spec.in | 2 -- xsa432-linux.patch | 72 ---------------------------------------------- 2 files changed, 74 deletions(-) delete mode 100644 xsa432-linux.patch diff --git a/kernel.spec.in b/kernel.spec.in index 125e1098..afe77669 100644 --- a/kernel.spec.in +++ b/kernel.spec.in @@ -144,8 +144,6 @@ Patch25: 0001-Re-enable-interrupts-before-loading-PNVM.patch Patch26: 0001-sound-Disable-SG-buffer.patch Patch27: 0001-amdgpu-timeout.patch Patch28: 0001-iwlwifi-avoid-writing-to-MSI-X-page-when-MSI-X-is-no.patch -Patch33: xsa432-linux.patch - %description Qubes Dom0 kernel. diff --git a/xsa432-linux.patch b/xsa432-linux.patch deleted file mode 100644 index 0f7aa8d8..00000000 --- a/xsa432-linux.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Ross Lagerwall -Subject: xen/netback: Fix buffer overrun triggered by unusual packet - -It is possible that a guest can send a packet that contains a head + 18 -slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots -to underflow in xenvif_get_requests() which then causes the subsequent -loop's termination condition to be wrong, causing a buffer overrun of -queue->tx_map_ops. - -Rework the code to account for the extra frag_overflow slots. - -This is CVE-2023-34319 / XSA-432. - -Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") -Signed-off-by: Ross Lagerwall -Reviewed-by: Paul Durrant -Reviewed-by: Wei Liu ---- - drivers/net/xen-netback/netback.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c -index c1501f41e2d8..72091b331963 100644 ---- a/drivers/net/xen-netback/netback.c -+++ b/drivers/net/xen-netback/netback.c -@@ -396,7 +396,7 @@ static void xenvif_get_requests(struct xenvif_queue *queue, - struct gnttab_map_grant_ref *gop = queue->tx_map_ops + *map_ops; - struct xen_netif_tx_request *txp = first; - -- nr_slots = shinfo->nr_frags + 1; -+ nr_slots = shinfo->nr_frags + frag_overflow + 1; - - copy_count(skb) = 0; - XENVIF_TX_CB(skb)->split_mask = 0; -@@ -462,8 +462,8 @@ static void xenvif_get_requests(struct xenvif_queue *queue, - } - } - -- for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; -- shinfo->nr_frags++, gop++) { -+ for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS; -+ shinfo->nr_frags++, gop++, nr_slots--) { - index = pending_index(queue->pending_cons++); - pending_idx = queue->pending_ring[index]; - xenvif_tx_create_map_op(queue, pending_idx, txp, -@@ -476,12 +476,12 @@ static void xenvif_get_requests(struct xenvif_queue *queue, - txp++; - } - -- if (frag_overflow) { -+ if (nr_slots > 0) { - - shinfo = skb_shinfo(nskb); - frags = shinfo->frags; - -- for (shinfo->nr_frags = 0; shinfo->nr_frags < frag_overflow; -+ for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; - shinfo->nr_frags++, txp++, gop++) { - index = pending_index(queue->pending_cons++); - pending_idx = queue->pending_ring[index]; -@@ -492,6 +492,11 @@ static void xenvif_get_requests(struct xenvif_queue *queue, - } - - skb_shinfo(skb)->frag_list = nskb; -+ } else if (nskb) { -+ /* A frag_list skb was allocated but it is no longer needed -+ * because enough slots were converted to copy ops above. -+ */ -+ kfree_skb(nskb); - } - - (*copy_ops) = cop - queue->tx_copy_ops;