• Roger Pau Monne's avatar
    xen: fix bio vec merging · c1cee606
    Roger Pau Monne authored
    commit 462cdace upstream.
    
    The current test for bio vec merging is not fully accurate and can be
    tricked into merging bios when certain grant combinations are used.
    The result of these malicious bio merges is a bio that extends past
    the memory page used by any of the originating bios.
    
    Take into account the following scenario, where a guest creates two
    grant references that point to the same mfn, ie: grant 1 -> mfn A,
    grant 2 -> mfn A.
    
    These references are then used in a PV block request, and mapped by
    the backend domain, thus obtaining two different pfns that point to
    the same mfn, pfn B -> mfn A, pfn C -> mfn A.
    
    If those grants happen to be used in two consecutive sectors of a disk
    IO operation becoming two different bios in the backend domain, the
    checks in xen_biovec_phys_mergeable will succeed, because bfn1 == bfn2
    (they both point to the same mfn). However due to the bio merging,
    the backend domain will end up with a bio that expands past mfn A into
    mfn A + 1.
    
    Fix this by making sure the check in xen_biovec_phys_mergeable takes
    into account the offset and the length of the bio, this basically
    replicates whats done in __BIOVEC_PHYS_MERGEABLE using mfns (bus
    addresses). While there also remove the usage of
    __BIOVEC_PHYS_MERGEABLE, since that's already checked by the callers
    of xen_biovec_phys_mergeable.
    Reported-by: default avatar"Jan H. Schönherr" <jschoenh@amazon.de>
    Signed-off-by: default avatarRoger Pau Monné <roger.pau@citrix.com>
    Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
    Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    c1cee606
biomerge.c 585 Bytes