openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

File xsa239.patch of Package xen.5852

From: Jan Beulich <jbeulich@suse.com>
Subject: x86/HVM: prefill partially used variable on emulation paths

Certain handlers ignore the access size (vioapic_write() being the
example this was found with), perhaps leading to subsequent reads
seeing data that wasn't actually written by the guest. For
consistency and extra safety also do this on the read path of
hvm_process_io_intercept(), even if this doesn't directly affect what
guests get to see, as we've supposedly already dealt with read handlers
leaving data completely unitialized.

This is XSA-239.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

Index: xen-4.7.3-testing/xen/arch/x86/hvm/emulate.c
===================================================================
--- xen-4.7.3-testing.orig/xen/arch/x86/hvm/emulate.c
+++ xen-4.7.3-testing/xen/arch/x86/hvm/emulate.c
@@ -108,7 +108,7 @@ static int hvmemul_do_io(
         .count = *reps,
         .dir = dir,
         .df = df,
-        .data = data,
+        .data = data_is_addr ? data : 0,
         .data_is_ptr = data_is_addr, /* ioreq_t field name is misleading */
         .state = STATE_IOREQ_READY,
     };
Index: xen-4.7.3-testing/xen/arch/x86/hvm/intercept.c
===================================================================
--- xen-4.7.3-testing.orig/xen/arch/x86/hvm/intercept.c
+++ xen-4.7.3-testing/xen/arch/x86/hvm/intercept.c
@@ -128,6 +128,7 @@ int hvm_process_io_intercept(const struc
             addr = (p->type == IOREQ_TYPE_COPY) ?
                    p->addr + step * i :
                    p->addr;
+            data = 0;
             rc = ops->read(handler, addr, p->size, &data);
             if ( rc != X86EMUL_OKAY )
                 break;
@@ -162,6 +163,7 @@ int hvm_process_io_intercept(const struc
         {
             if ( p->data_is_ptr )
             {
+                data = 0;
                 switch ( hvm_copy_from_guest_phys(&data, p->data + step * i,
                                                   p->size) )
                 {

Places

File xsa239.patch of Package xen.5852

Places