| commit | 6cdd454e81caa2f38222ca86cfa20061b7345e10 | [log] [tgz] |
|---|---|---|
| author | Jan Beulich <[email protected]> | Fri Jul 01 09:57:19 2022 +0200 |
| committer | Meena Shanmugam <[email protected]> | Sat Jul 16 03:50:00 2022 +0000 |
| tree | 3c98678592a4f20aaf8ce1c40bf5b38d6e8f1843 | |
| parent | 6150cfec353314bdc7a9d98a82963b469d9011ea [diff] |
xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()
commit f63c2c2032c2e3caad9add3b82cc6e91c376fd26 upstream.
The commit referenced below moved the invocation past the "next" label,
without any explanation. In fact this allows misbehaving backends undue
control over the domain the frontend runs in, as earlier detected errors
require the skb to not be freed (it may be retained for later processing
via xennet_move_rx_slot(), or it may simply be unsafe to have it freed).
This is CVE-2022-33743 / XSA-405.
BUG=b/239161457
TEST=presubmit, validation
RELEASE_NOTE=Fixed CVE-2022-33743 in the Linux kernel.
Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
Signed-off-by: Jan Beulich <[email protected]>
Reviewed-by: Juergen Gross <[email protected]>
Signed-off-by: Juergen Gross <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
cos-patch: security-moderate
Change-Id: I210e4cd79812916dbffc3f726771ecad682a026c
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/34830
Tested-by: Cusky Presubmit Bot <[email protected]>
Reviewed-by: Oleksandr Tymoshenko <[email protected]>