[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH linux-2.6.18] xen: mark pvscsi frontend request consumed only after last read
A request in the ring buffer mustn't be read after it has been marked as consumed. Otherwise it might already have been reused by the frontend without violating the ring protocol. To avoid inconsistencies in the backend only work on a private copy of the request. This will ensure a malicious guest not being able to bypass consistency checks of the backend by modifying an active request. Signed-off-by: Juergen Gross <jgross@xxxxxxxx> diff -r 578e5aea3cbb drivers/xen/scsiback/scsiback.c --- a/drivers/xen/scsiback/scsiback.c Mon Jan 19 11:51:46 2015 +0100 +++ b/drivers/xen/scsiback/scsiback.c Fri Jan 30 14:43:29 2015 +0100 @@ -579,7 +579,7 @@ invalid_value: static int _scsiback_do_cmd_fn(struct vscsibk_info *info) { struct vscsiif_back_ring *ring = &info->ring; - vscsiif_request_t *ring_req; + vscsiif_request_t ring_req; pending_req_t *pending_req; RING_IDX rc, rp; @@ -609,10 +609,10 @@ static int _scsiback_do_cmd_fn(struct vs break; } - ring_req = RING_GET_REQUEST(ring, rc); + ring_req = *RING_GET_REQUEST(ring, rc); ring->req_cons = ++rc; - err = prepare_pending_reqs(info, ring_req, + err = prepare_pending_reqs(info, &ring_req, pending_req); switch (err ?: pending_req->act) { case VSCSIIF_ACT_SCSI_CDB: _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |