On 30.07.21 12:38, Juergen Gross wrote:
> Xen backends of para-virtualized devices can live in dom0 kernel, dom0
> user land, or in a driver domain. This means that a backend might
> reside in a less trusted environment than the Xen core components, so
> a backend should not be able to do harm to a Xen guest (it can still
> mess up I/O data, but it shouldn't be able to e.g. crash a guest by
> other means or cause a privilege escalation in the guest).
>
> Unfortunately blkfront in the Linux kernel is fully trusting its
> backend. This series is fixing blkfront in this regard.
>
> It was discussed to handle this as a security problem, but the topic
> was discussed in public before, so it isn't a real secret.
>
> It should be mentioned that a similar series has been posted some years
> ago by Marek Marczykowski-Górecki, but this series has not been applied
> due to a Xen header not having been available in the Xen git repo at
> that time. Additionally my series is fixing some more DoS cases.
>
> Changes in V3:
> - patch 3: insert missing unlock in error case (kernel test robot)
> - patch 3: use %#x as format for printing wrong operation value
> (Roger Pau Monné)
>
> Changes in V2:
> - put blkfront patches into own series
> - some minor comments addressed
>
> Juergen Gross (3):
> xen/blkfront: read response from backend only once
> xen/blkfront: don't take local copy of a request from the ring page
> xen/blkfront: don't trust the backend response data blindly
>
> drivers/block/xen-blkfront.c | 126 +++++++++++++++++++++++------------
> 1 file changed, 84 insertions(+), 42 deletions(-)
>
Series pushed to xen/tip.git for-linus-5.15
Juergen