From mboxrd@z Thu Jan  1 00:00:00 1970
From: Arnd Bergmann <arnd@arndb.de>
Subject: [PATCH] xen: hypercall: fix out-of-bounds memcpy
Date: Fri,  2 Feb 2018 16:32:31 +0100
Message-ID: <20180202153240.1190361-1-arnd__23615.1559315205$1517585546$gmane$org@arndb.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <xen-devel-bounces@lists.xenproject.org>
Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <srs0=0qa5=e4=arndb.de=arnd@srs-us1.protection.inumbo.net>)
 id 1ehdKo-0007O2-9g
 for xen-devel@lists.xenproject.org; Fri, 02 Feb 2018 15:33:02 +0000
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
To: Boris Ostrovsky <boris.ostrovsky@oracle.com>, Juergen Gross <jgross@suse.com>
Cc: Andi Kleen <ak@linux.intel.com>, Arnd Bergmann <arnd@arndb.de>, Nicolas Pitre <nico@linaro.org>, linux-kernel@vger.kernel.org, Jan Beulich <jbeulich@suse.com>, xen-devel@lists.xenproject.org, Dan Carpenter <dan.carpenter@oracle.com>
List-Id: xen-devel@lists.xenproject.org

VGhlIGxlZ2FjeSBoeXBlcmNhbGwgaGFuZGxlcnMgd2VyZSBvcmlnaW5hbGx5IGFkZGVkIHdpdGgK
YSBjb21tZW50IGV4cGxhaW5pbmcgdGhhdCAiY29weWluZyB0aGUgYXJndW1lbnQgc3RydWN0dXJl
cyBpbgpIWVBFUlZJU09SX2V2ZW50X2NoYW5uZWxfb3AoKSBhbmQgSFlQRVJWSVNPUl9waHlzZGV2
X29wKCkgaW50byB0aGUgbG9jYWwKdmFyaWFibGUgaXMgc3VmZmljaWVudGx5IHNhZmUiIGFuZCBv
bmx5IG1hZGUgc3VyZSB0byBub3Qgd3JpdGUKcGFzdCB0aGUgZW5kIG9mIHRoZSBhcmd1bWVudCBz
dHJ1Y3R1cmUsIHRoZSBjaGVja3MgaW4gbGludXgvc3RyaW5nLmgKZGlzYWdyZWUgd2l0aCB0aGF0
LCB3aGVuIGxpbmstdGltZSBvcHRpbWl6YXRpb25zIGFyZSB1c2VkOgoKSW4gZnVuY3Rpb24gJ21l
bWNweScsCiAgICBpbmxpbmVkIGZyb20gJ3BpcnFfcXVlcnlfdW5tYXNrJyBhdCBkcml2ZXJzL3hl
bi9mYWxsYmFjay5jOjUzOjIsCiAgICBpbmxpbmVkIGZyb20gJ19fc3RhcnR1cF9waXJxJyBhdCBk
cml2ZXJzL3hlbi9ldmVudHMvZXZlbnRzX2Jhc2UuYzo1Mjk6MiwKICAgIGlubGluZWQgZnJvbSAn
cmVzdG9yZV9waXJxcycgYXQgZHJpdmVycy94ZW4vZXZlbnRzL2V2ZW50c19iYXNlLmM6MTQzOToz
LAogICAgaW5saW5lZCBmcm9tICd4ZW5faXJxX3Jlc3VtZScgYXQgZHJpdmVycy94ZW4vZXZlbnRz
L2V2ZW50c19iYXNlLmM6MTU4MToyOgppbmNsdWRlL2xpbnV4L3N0cmluZy5oOjM1MDozOiBlcnJv
cjogY2FsbCB0byAnX19yZWFkX292ZXJmbG93MicgZGVjbGFyZWQgd2l0aCBhdHRyaWJ1dGUgZXJy
b3I6IGRldGVjdGVkIHJlYWQgYmV5b25kIHNpemUgb2Ygb2JqZWN0IHBhc3NlZCBhcyAybmQgcGFy
YW1ldGVyCiAgIF9fcmVhZF9vdmVyZmxvdzIoKTsKICAgXgptYWtlWzNdOiAqKiogW2NjTHVqRk54
Lmx0cmFuczE1Lmx0cmFucy5vXSBFcnJvciAxCm1ha2VbM106IFRhcmdldCAnYWxsJyBub3QgcmVt
YWRlIGJlY2F1c2Ugb2YgZXJyb3JzLgpsdG8td3JhcHBlcjogZmF0YWwgZXJyb3I6IG1ha2UgcmV0
dXJuZWQgMiBleGl0IHN0YXR1cwpjb21waWxhdGlvbiB0ZXJtaW5hdGVkLgpsZDogZXJyb3I6IGx0
by13cmFwcGVyIGZhaWxlZAoKVGhpcyBjaGFuZ2VzIHRoZSBmdW5jdGlvbnMgc28gdGhhdCBlYWNo
IGFyZ3VtZW50IGlzIGFjY2Vzc2VkIHdpdGgKZXhhY3RseSB0aGUgY29ycmVjdCBsZW5ndGggYmFz
ZWQgb24gdGhlIGNvbW1hbmQgY29kZS4KCkZpeGVzOiBjZjQ3YTgzZmIwNmUgKCJ4ZW4vaHlwZXJj
YWxsOiBmaXggaHlwZXJjYWxsIGZhbGxiYWNrIGNvZGUgZm9yIHZlcnkgb2xkIGh5cGVydmlzb3Jz
IikKU2lnbmVkLW9mZi1ieTogQXJuZCBCZXJnbWFubiA8YXJuZEBhcm5kYi5kZT4KLS0tCiBkcml2
ZXJzL3hlbi9mYWxsYmFjay5jIHwgOTQgKysrKysrKysrKysrKysrKysrKysrKysrKysrKy0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA1MyBpbnNlcnRpb25zKCspLCA0MSBk
ZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJzL3hlbi9mYWxsYmFjay5jIGIvZHJpdmVy
cy94ZW4vZmFsbGJhY2suYwppbmRleCBiMDRmYjY0YzVhOTEuLmVkZWQ4ZGQ4MjFhZCAxMDA2NDQK
LS0tIGEvZHJpdmVycy94ZW4vZmFsbGJhY2suYworKysgYi9kcml2ZXJzL3hlbi9mYWxsYmFjay5j
CkBAIC03LDc1ICs3LDg3IEBACiAKIGludCB4ZW5fZXZlbnRfY2hhbm5lbF9vcF9jb21wYXQoaW50
IGNtZCwgdm9pZCAqYXJnKQogewotCXN0cnVjdCBldnRjaG5fb3Agb3A7CisJc3RydWN0IGV2dGNo
bl9vcCBvcCA9IHsgLmNtZCA9IGNtZCwgfTsKKwlzaXplX3QgbGVuOwogCWludCByYzsKIAotCW9w
LmNtZCA9IGNtZDsKLQltZW1jcHkoJm9wLnUsIGFyZywgc2l6ZW9mKG9wLnUpKTsKLQlyYyA9IF9o
eXBlcmNhbGwxKGludCwgZXZlbnRfY2hhbm5lbF9vcF9jb21wYXQsICZvcCk7Ci0KIAlzd2l0Y2gg
KGNtZCkgeworCWNhc2UgRVZUQ0hOT1BfYmluZF9pbnRlcmRvbWFpbjoKKwkJbGVuID0gc2l6ZW9m
KHN0cnVjdCBldnRjaG5fYmluZF9pbnRlcmRvbWFpbik7CisJCWJyZWFrOworCWNhc2UgRVZUQ0hO
T1BfYmluZF92aXJxOgorCQlsZW4gPSBzaXplb2Yoc3RydWN0IGV2dGNobl9iaW5kX3ZpcnEpOwor
CQlicmVhazsKKwljYXNlIEVWVENITk9QX2JpbmRfcGlycToKKwkJbGVuID0gc2l6ZW9mKHN0cnVj
dCBldnRjaG5fYmluZF9waXJxKTsKKwkJYnJlYWs7CiAJY2FzZSBFVlRDSE5PUF9jbG9zZToKKwkJ
bGVuID0gc2l6ZW9mKHN0cnVjdCBldnRjaG5fY2xvc2UpOworCQlicmVhazsKIAljYXNlIEVWVENI
Tk9QX3NlbmQ6CisJCWxlbiA9IHNpemVvZihzdHJ1Y3QgZXZ0Y2huX3NlbmQpOworCQlicmVhazsK
KwljYXNlIEVWVENITk9QX2FsbG9jX3VuYm91bmQ6CisJCWxlbiA9IHNpemVvZihzdHJ1Y3QgZXZ0
Y2huX2FsbG9jX3VuYm91bmQpOworCQlicmVhazsKKwljYXNlIEVWVENITk9QX2JpbmRfaXBpOgor
CQlsZW4gPSBzaXplb2Yoc3RydWN0IGV2dGNobl9iaW5kX2lwaSk7CisJCWJyZWFrOworCWNhc2Ug
RVZUQ0hOT1Bfc3RhdHVzOgorCQlsZW4gPSBzaXplb2Yoc3RydWN0IGV2dGNobl9zdGF0dXMpOwor
CQlicmVhazsKIAljYXNlIEVWVENITk9QX2JpbmRfdmNwdToKKwkJbGVuID0gc2l6ZW9mKHN0cnVj
dCBldnRjaG5fYmluZF92Y3B1KTsKKwkJYnJlYWs7CiAJY2FzZSBFVlRDSE5PUF91bm1hc2s6Ci0J
CS8qIG5vIG91dHB1dCAqLworCQlsZW4gPSBzaXplb2Yoc3RydWN0IGV2dGNobl91bm1hc2spOwog
CQlicmVhazsKLQotI2RlZmluZSBDT1BZX0JBQ0soZW9wKSBcCi0JY2FzZSBFVlRDSE5PUF8jI2Vv
cDogXAotCQltZW1jcHkoYXJnLCAmb3AudS5lb3AsIHNpemVvZihvcC51LmVvcCkpOyBcCi0JCWJy
ZWFrCi0KLQlDT1BZX0JBQ0soYmluZF9pbnRlcmRvbWFpbik7Ci0JQ09QWV9CQUNLKGJpbmRfdmly
cSk7Ci0JQ09QWV9CQUNLKGJpbmRfcGlycSk7Ci0JQ09QWV9CQUNLKHN0YXR1cyk7Ci0JQ09QWV9C
QUNLKGFsbG9jX3VuYm91bmQpOwotCUNPUFlfQkFDSyhiaW5kX2lwaSk7Ci0jdW5kZWYgQ09QWV9C
QUNLCi0KIAlkZWZhdWx0OgotCQlXQVJOX09OKHJjICE9IC1FTk9TWVMpOwotCQlicmVhazsKKwkJ
cmV0dXJuIC1FTk9TWVM7CiAJfQogCisJbWVtY3B5KCZvcC51LCBhcmcsIGxlbik7CisJcmMgPSBf
aHlwZXJjYWxsMShpbnQsIGV2ZW50X2NoYW5uZWxfb3BfY29tcGF0LCAmb3ApOworCW1lbWNweShh
cmcsICZvcC51LCBsZW4pOworCiAJcmV0dXJuIHJjOwogfQogRVhQT1JUX1NZTUJPTF9HUEwoeGVu
X2V2ZW50X2NoYW5uZWxfb3BfY29tcGF0KTsKIAogaW50IHhlbl9waHlzZGV2X29wX2NvbXBhdChp
bnQgY21kLCB2b2lkICphcmcpCiB7Ci0Jc3RydWN0IHBoeXNkZXZfb3Agb3A7CisJc3RydWN0IHBo
eXNkZXZfb3Agb3AgPSB7IC5jbWQgPSBjbWQsIH07CisJc2l6ZV90IGxlbjsKIAlpbnQgcmM7CiAK
LQlvcC5jbWQgPSBjbWQ7Ci0JbWVtY3B5KCZvcC51LCBhcmcsIHNpemVvZihvcC51KSk7Ci0JcmMg
PSBfaHlwZXJjYWxsMShpbnQsIHBoeXNkZXZfb3BfY29tcGF0LCAmb3ApOwotCiAJc3dpdGNoIChj
bWQpIHsKIAljYXNlIFBIWVNERVZPUF9JUlFfVU5NQVNLX05PVElGWToKKwkJbGVuID0gMDsKKwkJ
YnJlYWs7CisJY2FzZSBQSFlTREVWT1BfaXJxX3N0YXR1c19xdWVyeToKKwkJbGVuID0gc2l6ZW9m
KHN0cnVjdCBwaHlzZGV2X2lycV9zdGF0dXNfcXVlcnkpOworCQlicmVhazsKIAljYXNlIFBIWVNE
RVZPUF9zZXRfaW9wbDoKKwkJbGVuID0gc2l6ZW9mKHN0cnVjdCBwaHlzZGV2X3NldF9pb3BsKTsK
KwkJYnJlYWs7CiAJY2FzZSBQSFlTREVWT1Bfc2V0X2lvYml0bWFwOgorCQlsZW4gPSBzaXplb2Yo
c3RydWN0IHBoeXNkZXZfc2V0X2lvYml0bWFwKTsKKwkJYnJlYWs7CisJY2FzZSBQSFlTREVWT1Bf
YXBpY19yZWFkOgogCWNhc2UgUEhZU0RFVk9QX2FwaWNfd3JpdGU6Ci0JCS8qIG5vIG91dHB1dCAq
LworCQlsZW4gPSBzaXplb2Yoc3RydWN0IHBoeXNkZXZfYXBpYyk7CiAJCWJyZWFrOwotCi0jZGVm
aW5lIENPUFlfQkFDSyhwb3AsIGZsZCkgXAotCWNhc2UgUEhZU0RFVk9QXyMjcG9wOiBcCi0JCW1l
bWNweShhcmcsICZvcC51LmZsZCwgc2l6ZW9mKG9wLnUuZmxkKSk7IFwKLQkJYnJlYWsKLQotCUNP
UFlfQkFDSyhpcnFfc3RhdHVzX3F1ZXJ5LCBpcnFfc3RhdHVzX3F1ZXJ5KTsKLQlDT1BZX0JBQ0so
YXBpY19yZWFkLCBhcGljX29wKTsKLQlDT1BZX0JBQ0soQVNTSUdOX1ZFQ1RPUiwgaXJxX29wKTsK
LSN1bmRlZiBDT1BZX0JBQ0sKLQotCWRlZmF1bHQ6Ci0JCVdBUk5fT04ocmMgIT0gLUVOT1NZUyk7
CisJY2FzZSBQSFlTREVWT1BfQVNTSUdOX1ZFQ1RPUjoKKwkJbGVuID0gc2l6ZW9mKHN0cnVjdCBw
aHlzZGV2X2lycSk7CiAJCWJyZWFrOworCWRlZmF1bHQ6CisJCXJldHVybiAtRU5PU1lTOwogCX0K
IAorCW1lbWNweSgmb3AudSwgYXJnLCBsZW4pOworCXJjID0gX2h5cGVyY2FsbDEoaW50LCBwaHlz
ZGV2X29wX2NvbXBhdCwgJm9wKTsKKwltZW1jcHkoYXJnLCAmb3AudSwgbGVuKTsKKwogCXJldHVy
biByYzsKIH0KIEVYUE9SVF9TWU1CT0xfR1BMKHhlbl9waHlzZGV2X29wX2NvbXBhdCk7Ci0tIAoy
LjkuMAoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fClhl
bi1kZXZlbCBtYWlsaW5nIGxpc3QKWGVuLWRldmVsQGxpc3RzLnhlbnByb2plY3Qub3JnCmh0dHBz
Oi8vbGlzdHMueGVucHJvamVjdC5vcmcvbWFpbG1hbi9saXN0aW5mby94ZW4tZGV2ZWw=