[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] argo: don't leak stack contents when returning ring info

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Thu, 14 Jan 2021 15:01:06 +0100
Cc: Christopher Clark <christopher.w.clark@xxxxxxxxx>
Delivery-date: Thu, 14 Jan 2021 14:01:27 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The max_message_size field of the output gets filled only when the flags
field is non-zero. Don't copy back uninitialized data to guest context.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

--- a/xen/common/argo.c
+++ b/xen/common/argo.c
@@ -1405,7 +1405,8 @@ fill_ring_data(const struct domain *curr
         rcu_unlock_domain(dst_d);
 
     if ( !ret && (__copy_field_to_guest(data_ent_hnd, &ent, flags) ||
-                  __copy_field_to_guest(data_ent_hnd, &ent, max_message_size)) 
)
+                  (ent.flags &&
+                   __copy_field_to_guest(data_ent_hnd, &ent, 
max_message_size))) )
         return -EFAULT;
 
     return ret;

Follow-Ups:
- Re: [PATCH] argo: don't leak stack contents when returning ring info
  - From: Roger Pau Monné

Prev by Date: [qemu-mainline test] 158413: regressions - FAIL
Next by Date: [PATCH] common: don't require use of DOMID_SELF
Previous by thread: [qemu-mainline test] 158413: regressions - FAIL
Next by thread: Re: [PATCH] argo: don't leak stack contents when returning ring info
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.