* [Xen-devel] [PATCH] xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext
@ 2020-01-27 13:48 Julien Grall
2020-01-27 14:53 ` Jan Beulich
0 siblings, 1 reply; 2+ messages in thread
From: Julien Grall @ 2020-01-27 13:48 UTC (permalink / raw)
To: xen-devel; +Cc: Andrew Cooper, Julien Grall, Wei Liu, Roger Pau Monné
From: Julien Grall <jgrall@amazon.com>
The HVM context may not fill up the full buffer passed by the caller.
While we report corectly the size of the context, we will still be
copying back the full size of the buffer.
As the buffer is allocated through xmalloc(), we will be copying some
bits from the previous allocation.
Only copy back the part of the buffer used by the HVM context to prevent
any leak.
Note that per XSA-72, this is not a security issue.
Signed-off-by: Julien Grall <jgrall@amazon.com>
---
xen/arch/x86/domctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 5ed63ac10a..4fa9c91140 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -540,7 +540,7 @@ long arch_do_domctl(
domain_unpause(d);
domctl->u.hvmcontext.size = c.cur;
- if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.size) != 0 )
+ if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.cur) != 0 )
ret = -EFAULT;
gethvmcontext_out:
--
2.17.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Xen-devel] [PATCH] xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext
2020-01-27 13:48 [Xen-devel] [PATCH] xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext Julien Grall
@ 2020-01-27 14:53 ` Jan Beulich
0 siblings, 0 replies; 2+ messages in thread
From: Jan Beulich @ 2020-01-27 14:53 UTC (permalink / raw)
To: Julien Grall
Cc: xen-devel, Julien Grall, Roger Pau Monné, Wei Liu, Andrew Cooper
On 27.01.2020 14:48, Julien Grall wrote:
> From: Julien Grall <jgrall@amazon.com>
>
> The HVM context may not fill up the full buffer passed by the caller.
> While we report corectly the size of the context, we will still be
> copying back the full size of the buffer.
>
> As the buffer is allocated through xmalloc(), we will be copying some
> bits from the previous allocation.
>
> Only copy back the part of the buffer used by the HVM context to prevent
> any leak.
>
> Note that per XSA-72, this is not a security issue.
>
> Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-01-27 14:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-27 13:48 [Xen-devel] [PATCH] xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext Julien Grall
2020-01-27 14:53 ` Jan Beulich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.