[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 08/11] tmem: properly drop lock on error path in do_tmem_op()

This is part of XSA-15 / CVE-2012-3497.

Reported-by: Tim Deegan <tim@xxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -2659,13 +2659,19 @@ EXPORT long do_tmem_op(tmem_cli_op_t uop
     if ( client != NULL && tmh_client_is_dying(client) )
     {
         rc = -ENODEV;
-        goto out;
+        if ( tmh_lock_all )
+            goto out;
+ simple_error:
+        errored_tmem_ops++;
+        return rc;
     }
 
     if ( unlikely(tmh_get_tmemop_from_client(&op, uops) != 0) )
     {
         printk("tmem: can't get tmem struct from %s\n",client_str);
         rc = -EFAULT;
+        if ( !tmh_lock_all )
+            goto simple_error;
         goto out;
     }

Attachment: tmem-xsa-15-8.patch
Description: Text document

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.