From 23260e589e52ec83349f22198eab2331b5a1684e Mon Sep 17 00:00:00 2001
From: Matthew Daley <mattjd@gmail.com>
Date: Wed, 25 Sep 2013 12:28:47 +1200
Subject: [PATCH] xen_disk: mark ioreq as mapped before unmapping in error
 case

Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush")
modified the semantics of ioreq_{un,}map so that they are idempotent if
called when they're not needed (ie., twice in a row). However, it neglected
to handle the case where batch mapping is not being used (the default), and
one of the grants fails to map. In this case, ioreq_unmap will be called to
unwind and unmap any mappings already performed, but ioreq_unmap simply
returns due to the aforementioned change (the ioreq has not already been
marked as mapped).

The frontend user can therefore force xen_disk to leak grant mappings, a
per-backend-domain limited resource.

Fix by marking the ioreq as mapped before calling ioreq_unmap in this
situation.

This is XSA-71 / CVE-2013-4375

Signed-off-by: Matthew Daley <mattjd@gmail.com>
---
 hw/xen_disk.c |    1 +
 1 file changed, 1 insertion(+)

diff -ur xen-4.3.0.orig/tools/qemu-xen-traditional/hw/xen_disk.c xen-4.3.0/tools/qemu-xen-traditional/hw/xen_disk.c
--- tools/qemu-xen-traditional/hw/xen_disk.c	2013-06-18 00:39:51.000000000 +0800
+++ tools/qemu-xen-traditional/hw/xen_disk.c	2013-11-06 11:05:44.977888267 +0800
@@ -298,6 +298,7 @@
 		xen_be_printf(&ioreq->blkdev->xendev, 0,
 			      "can't map grant ref %d (%s, %d maps)\n",
 			      ioreq->refs[i], strerror(errno), ioreq->blkdev->cnt_map);
+		ioreq->mapped = 1;
 		ioreq_unmap(ioreq);
 		return -1;
 	    }