All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] argo: don't leak stack contents when returning ring info
@ 2021-01-14 14:01 Jan Beulich
  2021-01-14 16:59 ` Roger Pau Monné
  0 siblings, 1 reply; 3+ messages in thread
From: Jan Beulich @ 2021-01-14 14:01 UTC (permalink / raw)
  To: xen-devel; +Cc: Christopher Clark

The max_message_size field of the output gets filled only when the flags
field is non-zero. Don't copy back uninitialized data to guest context.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/argo.c
+++ b/xen/common/argo.c
@@ -1405,7 +1405,8 @@ fill_ring_data(const struct domain *curr
         rcu_unlock_domain(dst_d);
 
     if ( !ret && (__copy_field_to_guest(data_ent_hnd, &ent, flags) ||
-                  __copy_field_to_guest(data_ent_hnd, &ent, max_message_size)) )
+                  (ent.flags &&
+                   __copy_field_to_guest(data_ent_hnd, &ent, max_message_size))) )
         return -EFAULT;
 
     return ret;


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] argo: don't leak stack contents when returning ring info
  2021-01-14 14:01 [PATCH] argo: don't leak stack contents when returning ring info Jan Beulich
@ 2021-01-14 16:59 ` Roger Pau Monné
  2021-01-14 17:01   ` Jan Beulich
  0 siblings, 1 reply; 3+ messages in thread
From: Roger Pau Monné @ 2021-01-14 16:59 UTC (permalink / raw)
  To: Jan Beulich; +Cc: xen-devel, Christopher Clark

On Thu, Jan 14, 2021 at 03:01:06PM +0100, Jan Beulich wrote:
> The max_message_size field of the output gets filled only when the flags
> field is non-zero. Don't copy back uninitialized data to guest context.

I'm afraid I'm missing something. AFAICT ent gets filled from the
user-space contents of data_ent_hnd that's copied from user-space at
the top of the function, so there's no leak from hypervisor stack in
the return path?

Thanks, Roger.


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] argo: don't leak stack contents when returning ring info
  2021-01-14 16:59 ` Roger Pau Monné
@ 2021-01-14 17:01   ` Jan Beulich
  0 siblings, 0 replies; 3+ messages in thread
From: Jan Beulich @ 2021-01-14 17:01 UTC (permalink / raw)
  To: Roger Pau Monné; +Cc: xen-devel, Christopher Clark

On 14.01.2021 17:59, Roger Pau Monné wrote:
> On Thu, Jan 14, 2021 at 03:01:06PM +0100, Jan Beulich wrote:
>> The max_message_size field of the output gets filled only when the flags
>> field is non-zero. Don't copy back uninitialized data to guest context.
> 
> I'm afraid I'm missing something. AFAICT ent gets filled from the
> user-space contents of data_ent_hnd that's copied from user-space at
> the top of the function,

Oh, I managed to overlook this multiple time, so ...

> so there's no leak from hypervisor stack in
> the return path?

... yes indeed. Withdrawing the patch.

Thanks for noticing,
Jan


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-14 17:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-14 14:01 [PATCH] argo: don't leak stack contents when returning ring info Jan Beulich
2021-01-14 16:59 ` Roger Pau Monné
2021-01-14 17:01   ` Jan Beulich

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.