[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] common/sysctl: Zero structures on the stack

To: Xen-devel <xen-devel@xxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Tue, 21 Apr 2015 11:39:55 +0100
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Keir Fraser <keir@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
Delivery-date: Tue, 21 Apr 2015 10:40:13 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

None of these structures currently contain a hole.  However, there is a risk
that a change to the structure might introduce a hole, and thus create a
hypervisor stack leak to the toolstack.

Mitigate this risk by preemptively zeroing these structures.  These are not
hotpaths, so the slight overhead is not an issue.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CC: Keir Fraser <keir@xxxxxxx>
CC: Jan Beulich <JBeulich@xxxxxxxx>

---
This is a result of my audit following XSA-132
---
 xen/common/sysctl.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c
index 65798a3..7361064 100644
--- a/xen/common/sysctl.c
+++ b/xen/common/sysctl.c
@@ -144,7 +144,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) 
u_sysctl)
     case XEN_SYSCTL_getcpuinfo:
     {
         uint32_t i, nr_cpus;
-        struct xen_sysctl_cpuinfo cpuinfo;
+        struct xen_sysctl_cpuinfo cpuinfo = { 0 };
 
         nr_cpus = min(op->u.getcpuinfo.max_cpus, nr_cpu_ids);
 
@@ -283,6 +283,8 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) 
u_sysctl)
 
         if ( do_meminfo || do_distance )
         {
+            xen_sysctl_meminfo_t meminfo = { 0 };
+
             if ( ni->num_nodes < num_nodes )
             {
                 ret = -ENOBUFS;
@@ -293,7 +295,6 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) 
u_sysctl)
 
             for ( ; i < num_nodes; i++ )
             {
-                xen_sysctl_meminfo_t meminfo;
                 static uint32_t distance[MAX_NUMNODES];
 
                 if ( do_meminfo )
@@ -355,6 +356,8 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) 
u_sysctl)
         num_cpus = cpumask_last(&cpu_online_map) + 1;
         if ( !guest_handle_is_null(ti->cputopo) )
         {
+            xen_sysctl_cputopo_t cputopo = { 0 };
+
             if ( ti->num_cpus < num_cpus )
             {
                 ret = -ENOBUFS;
@@ -365,8 +368,6 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) 
u_sysctl)
 
             for ( ; i < num_cpus; i++ )
             {
-                xen_sysctl_cputopo_t cputopo;
-
                 if ( cpu_present(i) )
                 {
                     cputopo.core = cpu_to_core(i);
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Prev by Date: Re: [Xen-devel] [PATCH] xen: Add __GFP_DMA flag when xen_swiotlb_init gets free pages.
Next by Date: Re: [Xen-devel] Is it ok to routing periperal irq to any Domain0's vCPU on Xen ARM 4.5.x?
Previous by thread: [Xen-devel] [PATCH] Config.mk: Fix (and, effectively, update) QEMU_TAG
Next by thread: [Xen-devel] [PATCH v10 01/29] xen/PCI: Don't use deprecated function pci_scan_bus_parented()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.