[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.3] x86/HVM: return all ones on wrong-sized reads of system device I/O ports

commit 3db79e9f71f551a51359cb40e39586d8a15dae02
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Mar 5 13:48:07 2015 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Mar 5 13:48:07 2015 +0100

    x86/HVM: return all ones on wrong-sized reads of system device I/O ports
    
    So far the value presented to the guest remained uninitialized.
    
    This is CVE-2015-2044 / XSA-121.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    master commit: c9e57594e1ba5da9d705dee9f00aa4e7e925963d
    master date: 2015-03-05 13:34:54 +0100
---
 xen/arch/x86/hvm/i8254.c   |    1 +
 xen/arch/x86/hvm/pmtimer.c |    1 +
 xen/arch/x86/hvm/rtc.c     |    3 ++-
 xen/arch/x86/hvm/vpic.c    |    1 +
 4 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/xen/arch/x86/hvm/i8254.c b/xen/arch/x86/hvm/i8254.c
index c0d6bc2..809d09e 100644
--- a/xen/arch/x86/hvm/i8254.c
+++ b/xen/arch/x86/hvm/i8254.c
@@ -478,6 +478,7 @@ static int handle_pit_io(
     if ( bytes != 1 )
     {
         gdprintk(XENLOG_WARNING, "PIT bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
 
diff --git a/xen/arch/x86/hvm/pmtimer.c b/xen/arch/x86/hvm/pmtimer.c
index 01ae31d..6ad2797 100644
--- a/xen/arch/x86/hvm/pmtimer.c
+++ b/xen/arch/x86/hvm/pmtimer.c
@@ -213,6 +213,7 @@ static int handle_pmt_io(
     if ( bytes != 4 )
     {
         gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
     
diff --git a/xen/arch/x86/hvm/rtc.c b/xen/arch/x86/hvm/rtc.c
index 639b4c5..30270cb 100644
--- a/xen/arch/x86/hvm/rtc.c
+++ b/xen/arch/x86/hvm/rtc.c
@@ -696,7 +696,8 @@ static int handle_rtc_io(
 
     if ( bytes != 1 )
     {
-        gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
+        gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
     
diff --git a/xen/arch/x86/hvm/vpic.c b/xen/arch/x86/hvm/vpic.c
index fea3f68..6e4d422 100644
--- a/xen/arch/x86/hvm/vpic.c
+++ b/xen/arch/x86/hvm/vpic.c
@@ -324,6 +324,7 @@ static int vpic_intercept_pic_io(
     if ( bytes != 1 )
     {
         gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
+        *val = ~0;
         return X86EMUL_OKAY;
     }
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.3

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.