[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.6] x86/HVM: prefill partially used variable on emulation paths

commit e0353b455ce8af495c8fe379d6c6832cb7f87651
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Oct 12 15:37:57 2017 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Oct 12 15:37:57 2017 +0200

    x86/HVM: prefill partially used variable on emulation paths
    
    Certain handlers ignore the access size (vioapic_write() being the
    example this was found with), perhaps leading to subsequent reads
    seeing data that wasn't actually written by the guest. For
    consistency and extra safety also do this on the read path of
    hvm_process_io_intercept(), even if this doesn't directly affect what
    guests get to see, as we've supposedly already dealt with read handlers
    leaving data completely unitialized.
    
    This is XSA-239.
    
    Reported-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 0d4732ac29b63063764c29fa3bd8946daf67d6f3
    master date: 2017-10-12 14:43:26 +0200
---
 xen/arch/x86/hvm/emulate.c   | 2 +-
 xen/arch/x86/hvm/intercept.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
index e230549..af14e2f 100644
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -106,7 +106,7 @@ static int hvmemul_do_io(
         .count = *reps,
         .dir = dir,
         .df = df,
-        .data = data,
+        .data = data_is_addr ? data : 0,
         .data_is_ptr = data_is_addr, /* ioreq_t field name is misleading */
         .state = STATE_IOREQ_READY,
     };
diff --git a/xen/arch/x86/hvm/intercept.c b/xen/arch/x86/hvm/intercept.c
index 3a7a7dd..d4ecf65 100644
--- a/xen/arch/x86/hvm/intercept.c
+++ b/xen/arch/x86/hvm/intercept.c
@@ -128,6 +128,7 @@ int hvm_process_io_intercept(const struct hvm_io_handler 
*handler,
             addr = (p->type == IOREQ_TYPE_COPY) ?
                    p->addr + step * i :
                    p->addr;
+            data = 0;
             rc = ops->read(handler, addr, p->size, &data);
             if ( rc != X86EMUL_OKAY )
                 break;
@@ -164,6 +165,7 @@ int hvm_process_io_intercept(const struct hvm_io_handler 
*handler,
         {
             if ( p->data_is_ptr )
             {
+                data = 0;
                 switch ( hvm_copy_from_guest_phys(&data, p->data + step * i,
                                                   p->size) )
                 {
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6


_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.