[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.5] x86/HVM: prefill partially used variable on emulation paths

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Sat, 14 Oct 2017 01:46:03 +0000
Delivery-date: Sat, 14 Oct 2017 01:46:08 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit 03b06d38c785ec89817a608470b443d8de2e1b9e
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Oct 12 16:04:34 2017 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Oct 12 16:04:34 2017 +0200

    x86/HVM: prefill partially used variable on emulation paths
    
    Certain handlers ignore the access size (vioapic_write() being the
    example this was found with), perhaps leading to subsequent reads
    seeing data that wasn't actually written by the guest. For
    consistency and extra safety also do this on the read path of
    hvm_process_io_intercept(), even if this doesn't directly affect what
    guests get to see, as we've supposedly already dealt with read handlers
    leaving data completely unitialized.
    
    This is XSA-239.
    
    Reported-by: Roger Pau MonnÃ© <roger.pau@xxxxxxxxxx>
    Reviewed-by: Roger Pau MonnÃ© <roger.pau@xxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 0d4732ac29b63063764c29fa3bd8946daf67d6f3
    master date: 2017-10-12 14:43:26 +0200
---
 xen/arch/x86/hvm/intercept.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/xen/arch/x86/hvm/intercept.c b/xen/arch/x86/hvm/intercept.c
index 4c9b170..f2d7b44 100644
--- a/xen/arch/x86/hvm/intercept.c
+++ b/xen/arch/x86/hvm/intercept.c
@@ -55,6 +55,7 @@ static int hvm_mmio_access(struct vcpu *v,
     {
         if ( p->dir == IOREQ_READ )
         {
+            data = 0;
             if ( vio->mmio_retrying )
             {
                 if ( vio->mmio_large_read_bytes != p->size )
@@ -76,6 +77,7 @@ static int hvm_mmio_access(struct vcpu *v,
     {
         for ( i = 0; i < p->count; i++ )
         {
+            data = 0;
             if ( vio->mmio_retrying )
             {
                 if ( vio->mmio_large_read_bytes != p->size )
@@ -124,6 +126,7 @@ static int hvm_mmio_access(struct vcpu *v,
     {
         for ( i = 0; i < p->count; i++ )
         {
+            data = 0;
             switch ( hvm_copy_from_guest_phys(&data, p->data + step * i,
                                               p->size) )
             {
@@ -222,6 +225,7 @@ static int process_portio_intercept(portio_action_t action, 
ioreq_t *p)
     {
         if ( p->dir == IOREQ_READ )
         {
+            data = 0;
             if ( vio->mmio_retrying )
             {
                 if ( vio->mmio_large_read_bytes != p->size )
@@ -246,6 +250,7 @@ static int process_portio_intercept(portio_action_t action, 
ioreq_t *p)
     {
         for ( i = 0; i < p->count; i++ )
         {
+            data = 0;
             if ( vio->mmio_retrying )
             {
                 if ( vio->mmio_large_read_bytes != p->size )
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.5

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [xen stable-4.5] x86/cpu: Fix IST handling during PCPU bringup
Next by Date: [Xen-changelog] [qemu-xen master] slirp: fix clearing ifq_so from pending packets
Previous by thread: [Xen-changelog] [xen stable-4.5] x86/cpu: Fix IST handling during PCPU bringup
Next by thread: [Xen-changelog] [qemu-xen master] slirp: fix clearing ifq_so from pending packets
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.