diff options
Diffstat (limited to 'system/xen/xsa/xsa239.patch')
| -rw-r--r-- | system/xen/xsa/xsa239.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa239.patch b/system/xen/xsa/xsa239.patch new file mode 100644 index 0000000000..5daecb5e47 --- /dev/null +++ b/system/xen/xsa/xsa239.patch @@ -0,0 +1,46 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: x86/HVM: prefill partially used variable on emulation paths + +Certain handlers ignore the access size (vioapic_write() being the +example this was found with), perhaps leading to subsequent reads +seeing data that wasn't actually written by the guest. For +consistency and extra safety also do this on the read path of +hvm_process_io_intercept(), even if this doesn't directly affect what +guests get to see, as we've supposedly already dealt with read handlers +leaving data completely unitialized. + +This is XSA-239. + +Reported-by: Roger Pau Monné <roger.pau@citrix.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/hvm/emulate.c ++++ b/xen/arch/x86/hvm/emulate.c +@@ -129,7 +129,7 @@ static int hvmemul_do_io( + .count = *reps, + .dir = dir, + .df = df, +- .data = data, ++ .data = data_is_addr ? data : 0, + .data_is_ptr = data_is_addr, /* ioreq_t field name is misleading */ + .state = STATE_IOREQ_READY, + }; +--- a/xen/arch/x86/hvm/intercept.c ++++ b/xen/arch/x86/hvm/intercept.c +@@ -127,6 +127,7 @@ int hvm_process_io_intercept(const struc + addr = (p->type == IOREQ_TYPE_COPY) ? + p->addr + step * i : + p->addr; ++ data = 0; + rc = ops->read(handler, addr, p->size, &data); + if ( rc != X86EMUL_OKAY ) + break; +@@ -161,6 +162,7 @@ int hvm_process_io_intercept(const struc + { + if ( p->data_is_ptr ) + { ++ data = 0; + switch ( hvm_copy_from_guest_phys(&data, p->data + step * i, + p->size) ) + { |