From: Jan Beulich Date: Thu, 5 Mar 2015 12:34:54 +0000 (+0100) Subject: x86/HVM: return all ones on wrong-sized reads of system device I/O ports X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~3674 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=c9e57594e1ba5da9d705dee9f00aa4e7e925963d;p=xen.git x86/HVM: return all ones on wrong-sized reads of system device I/O ports So far the value presented to the guest remained uninitialized. This is CVE-2015-2044 / XSA-121. Signed-off-by: Jan Beulich Acked-by: Ian Campbell --- diff --git a/xen/arch/x86/hvm/i8254.c b/xen/arch/x86/hvm/i8254.c index 3ec01c0a13..36a0a53a2e 100644 --- a/xen/arch/x86/hvm/i8254.c +++ b/xen/arch/x86/hvm/i8254.c @@ -486,6 +486,7 @@ static int handle_pit_io( if ( bytes != 1 ) { gdprintk(XENLOG_WARNING, "PIT bad access\n"); + *val = ~0; return X86EMUL_OKAY; } diff --git a/xen/arch/x86/hvm/pmtimer.c b/xen/arch/x86/hvm/pmtimer.c index 01ae31d38d..6ad2797986 100644 --- a/xen/arch/x86/hvm/pmtimer.c +++ b/xen/arch/x86/hvm/pmtimer.c @@ -213,6 +213,7 @@ static int handle_pmt_io( if ( bytes != 4 ) { gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n"); + *val = ~0; return X86EMUL_OKAY; } diff --git a/xen/arch/x86/hvm/rtc.c b/xen/arch/x86/hvm/rtc.c index 3fab660a7d..3448971d28 100644 --- a/xen/arch/x86/hvm/rtc.c +++ b/xen/arch/x86/hvm/rtc.c @@ -703,7 +703,8 @@ static int handle_rtc_io( if ( bytes != 1 ) { - gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n"); + gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n"); + *val = ~0; return X86EMUL_OKAY; } diff --git a/xen/arch/x86/hvm/vpic.c b/xen/arch/x86/hvm/vpic.c index d72b6ff3fa..8eea0611de 100644 --- a/xen/arch/x86/hvm/vpic.c +++ b/xen/arch/x86/hvm/vpic.c @@ -331,6 +331,7 @@ static int vpic_intercept_pic_io( if ( bytes != 1 ) { gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); + *val = ~0; return X86EMUL_OKAY; }