|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.13] xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext
commit 14828076057572f99fd66acd3f9e122cfcffb03a
Author: Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Thu Mar 5 10:58:58 2020 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Mar 5 10:58:58 2020 +0100
xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext
The HVM context may not fill up the full buffer passed by the caller.
While we report corectly the size of the context, we will still be
copying back the full size of the buffer.
As the buffer is allocated through xmalloc(), we will be copying some
bits from the previous allocation.
Only copy back the part of the buffer used by the HVM context to prevent
any leak.
Note that per XSA-72, this is not a security issue.
Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: 41d8869003e96d8b7250ad1d0246371d6929aca6
master date: 2020-01-31 18:51:38 +0000
---
xen/arch/x86/domctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index b461aadbd6..7aed545d2d 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -538,7 +538,7 @@ long arch_do_domctl(
domain_unpause(d);
domctl->u.hvmcontext.size = c.cur;
- if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.size) != 0 )
+ if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.cur) != 0 )
ret = -EFAULT;
gethvmcontext_out:
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.13
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |