Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'xsa48x-7.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull xen fixes from Juergen Gross:
"XSA-485 and XSA-487 security patches"
* tag 'xsa48x-7.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen/privcmd: fix double free via VMA splitting
Buffer overflow in drivers/xen/sys-hypervisor.c
+13
-2
+7
drivers/xen/privcmd.c
+7
drivers/xen/privcmd.c
···
1620
1620
kvfree(pages);
1621
1621
}
1622
1622
1623
+
static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
1624
+
{
1625
+
/* Forbid splitting, avoids double free via privcmd_close(). */
1626
+
return -EINVAL;
1627
+
}
1628
+
1623
1629
static vm_fault_t privcmd_fault(struct vm_fault *vmf)
1624
1630
{
1625
1631
printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
···
1637
1631
1638
1632
static const struct vm_operations_struct privcmd_vm_ops = {
1639
1633
.close = privcmd_close,
1634
+
.may_split = privcmd_may_split,
1640
1635
.fault = privcmd_fault
1641
1636
};
1642
1637
+6
-2
drivers/xen/sys-hypervisor.c
+6
-2
drivers/xen/sys-hypervisor.c
···
366
366
ret = sprintf(buffer, "<denied>");
367
367
return ret;
368
368
}
369
+
if (ret > PAGE_SIZE)
370
+
return -ENOSPC;
369
371
370
372
buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
371
373
if (!buildid)
···
375
373
376
374
buildid->len = ret;
377
375
ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
378
-
if (ret > 0)
379
-
ret = sprintf(buffer, "%s", buildid->buf);
376
+
if (ret > 0) {
377
+
/* Build id is binary, not a string. */
378
+
memcpy(buffer, buildid->buf, ret);
379
+
}
380
380
kfree(buildid);
381
381
382
382
return ret;