[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.18] libxl: Use zero-ed memory for PVH acpi tables



commit 5f29c8c89afa7023d8d64a99be0d5b86e9299713
Author:     Jason Andryuk <jason.andryuk@xxxxxxx>
AuthorDate: Tue Nov 12 13:54:00 2024 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Nov 12 13:54:00 2024 +0100

    libxl: Use zero-ed memory for PVH acpi tables
    
    xl/libxl memory is leaking into a PVH guest through uninitialized
    portions of the ACPI tables.
    
    Use libxl_zalloc() to obtain zero-ed memory to avoid this issue.
    
    This is XSA-464 / CVE-2024-45819.
    
    Signed-off-by: Jason Andryuk <jason.andryuk@xxxxxxx>
    Fixes: 14c0d328da2b ("libxl/acpi: Build ACPI tables for HVMlite guests")
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 0bfe567b58f1182889dea9207103fc9d00baf414
    master date: 2024-11-12 13:32:45 +0100
---
 tools/libs/light/libxl_x86_acpi.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tools/libs/light/libxl_x86_acpi.c 
b/tools/libs/light/libxl_x86_acpi.c
index 5cf261bd67..2574ce2553 100644
--- a/tools/libs/light/libxl_x86_acpi.c
+++ b/tools/libs/light/libxl_x86_acpi.c
@@ -176,10 +176,11 @@ int libxl__dom_load_acpi(libxl__gc *gc,
         goto out;
     }
 
-    config.rsdp = (unsigned long)libxl__malloc(gc, libxl_ctxt.page_size);
-    config.infop = (unsigned long)libxl__malloc(gc, libxl_ctxt.page_size);
+    /* These are all copied into guest memory, so use zero-ed memory. */
+    config.rsdp = (unsigned long)libxl__zalloc(gc, libxl_ctxt.page_size);
+    config.infop = (unsigned long)libxl__zalloc(gc, libxl_ctxt.page_size);
     /* Pages to hold ACPI tables */
-    libxl_ctxt.buf = libxl__malloc(gc, NUM_ACPI_PAGES *
+    libxl_ctxt.buf = libxl__zalloc(gc, NUM_ACPI_PAGES *
                                    libxl_ctxt.page_size);
 
     /*
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.18



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.