File xsa464.patch of Package xen.36362

Overview Repositories Revisions Requests Users Attributes Meta

File xsa464.patch of Package xen.36362

From: Hidden Author <security@xenproject.org>
Subject: libxl: Use zero-ed memory for PVH acpi tables

xl/libxl memory is leaking into a PVH guest through uninitialized
portions of the ACPI tables.

Use libxl_zalloc() to obtain zero-ed memory to avoid this issue.

This is XSA-464 / CVE-2024-45819.

Fixes: 14c0d328da2b ("libxl/acpi: Build ACPI tables for HVMlite guests")
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/tools/libxl/libxl_x86_acpi.c
+++ b/tools/libxl/libxl_x86_acpi.c
@@ -178,10 +178,11 @@ int libxl__dom_load_acpi(libxl__gc *gc,
         goto out;
     }
 
-    config.rsdp = (unsigned long)libxl__malloc(gc, libxl_ctxt.page_size);
-    config.infop = (unsigned long)libxl__malloc(gc, libxl_ctxt.page_size);
+    /* These are all copied into guest memory, so use zero-ed memory. */
+    config.rsdp = (unsigned long)libxl__zalloc(gc, libxl_ctxt.page_size);
+    config.infop = (unsigned long)libxl__zalloc(gc, libxl_ctxt.page_size);
     /* Pages to hold ACPI tables */
-    libxl_ctxt.buf = libxl__malloc(gc, NUM_ACPI_PAGES *
+    libxl_ctxt.buf = libxl__zalloc(gc, NUM_ACPI_PAGES *
                                    libxl_ctxt.page_size);
 
     /*

Places

File xsa464.patch of Package xen.36362

Places