[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] x86/MCE: avoid leaking stack data

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Fri, 10 Jan 2020 02:55:12 +0000
Delivery-date: Fri, 10 Jan 2020 02:55:14 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 9fdad93087e04cb3a155c62344eb88149e1cfc4a
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Jan 9 11:08:29 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Jan 9 11:08:29 2020 +0100

    x86/MCE: avoid leaking stack data
    
    While HYPERVISOR_mca is a privileged operation, we still shouldn't leak
    stack contents (the tail of every array entry's mc_msrvalues[] of
    XEN_MC_physcpuinfo output). Simply use a zeroing allocation here.
    
    Take the occasion and also restrict the involved local variable's scope.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/cpu/mcheck/mce.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/cpu/mcheck/mce.c b/xen/arch/x86/cpu/mcheck/mce.c
index c8cecc4976..29f3f9c5e3 100644
--- a/xen/arch/x86/cpu/mcheck/mce.c
+++ b/xen/arch/x86/cpu/mcheck/mce.c
@@ -1352,7 +1352,6 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc)
     } mc_physcpuinfo;
     uint32_t flags, cmdflags;
     int nlcpu;
-    xen_mc_logical_cpu_t *log_cpus = NULL;
     mctelem_cookie_t mctc;
     mctelem_class_t which;
     unsigned int target;
@@ -1445,11 +1444,13 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc)
              ? !guest_handle_is_null(mc_physcpuinfo.nat->info)
              : !compat_handle_is_null(mc_physcpuinfo.cmp->info) )
         {
+            xen_mc_logical_cpu_t *log_cpus;
+
             if ( mc_physcpuinfo.nat->ncpus <= 0 )
                 return x86_mcerr("do_mca cpuinfo: ncpus <= 0",
                                  -EINVAL);
             nlcpu = min(nlcpu, (int)mc_physcpuinfo.nat->ncpus);
-            log_cpus = xmalloc_array(xen_mc_logical_cpu_t, nlcpu);
+            log_cpus = xzalloc_array(xen_mc_logical_cpu_t, nlcpu);
             if ( log_cpus == NULL )
                 return x86_mcerr("do_mca cpuinfo", -ENOMEM);
             on_each_cpu(do_mc_get_cpu_info, log_cpus, 1);
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [xen master] x86: clear per cpu stub page information in cpu_smpboot_free()
Next by Date: [Xen-changelog] [xen master] x86/MCE: correct struct mcinfo_extended for compat guests
Previous by thread: [Xen-changelog] [xen master] x86: clear per cpu stub page information in cpu_smpboot_free()
Next by thread: [Xen-changelog] [xen master] x86/MCE: correct struct mcinfo_extended for compat guests
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.