[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext

commit 41d8869003e96d8b7250ad1d0246371d6929aca6
Author:     Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Mon Jan 27 13:34:12 2020 +0000
Commit:     Julien Grall <julien@xxxxxxx>
CommitDate: Fri Jan 31 18:51:38 2020 +0000

    xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext
    The HVM context may not fill up the full buffer passed by the caller.
    While we report corectly the size of the context, we will still be
    copying back the full size of the buffer.
    As the buffer is allocated through xmalloc(), we will be copying some
    bits from the previous allocation.
    Only copy back the part of the buffer used by the HVM context to prevent
    any leak.
    Note that per XSA-72, this is not a security issue.
    Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
 xen/arch/x86/domctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 5ed63ac10a..4fa9c91140 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -540,7 +540,7 @@ long arch_do_domctl(
         domctl->u.hvmcontext.size = c.cur;
-        if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.size) != 0 )
+        if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.cur) != 0 )
             ret = -EFAULT;
generated by git-patchbot for /home/xen/git/xen.git#master

Xen-changelog mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.