From 13e7fe4c938f92933c6aa89e416e3085b13a22c7 Mon Sep 17 00:00:00 2001 From: Julien Grall Date: Tue, 25 Jan 2022 13:42:53 +0100 Subject: [PATCH] passthrough/x86: stop pirq iteration immediately in case of error MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit pt_pirq_iterate() will iterate in batch over all the PIRQs. The outer loop will bail out if 'rc' is non-zero but the inner loop will continue. This means 'rc' will get clobbered and we may miss any errors (such as -ERESTART in the case of the callback pci_clean_dpci_irq()). This is CVE-2022-23035 / XSA-395. Fixes: c24536b636f2 ("replace d->nr_pirqs sized arrays with radix tree") Fixes: f6dd295381f4 ("dpci: replace tasklet with softirq") Signed-off-by: Julien Grall Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monné master commit: 9480a1a519cf016623f657dc544cb372a82b5708 master date: 2022-01-25 13:27:02 +0100 --- xen/drivers/passthrough/x86/hvm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/drivers/passthrough/x86/hvm.c b/xen/drivers/passthrough/x86/hvm.c index a6e2863c14..9544f3234e 100644 --- a/xen/drivers/passthrough/x86/hvm.c +++ b/xen/drivers/passthrough/x86/hvm.c @@ -810,7 +810,11 @@ int pt_pirq_iterate(struct domain *d, pirq = pirqs[i]->pirq; if ( (pirq_dpci->flags & HVM_IRQ_DPCI_MAPPED) ) + { rc = cb(d, pirq_dpci, arg); + if ( rc ) + break; + } } } while ( !rc && ++pirq < d->nr_pirqs && n == ARRAY_SIZE(pirqs) ); -- 2.39.5