From 5abd2611893fc1c0a4ab642b5a1effa56186abad Mon Sep 17 00:00:00 2001 From: Julien Grall Date: Thu, 5 Mar 2020 11:32:53 +0100 Subject: [PATCH] xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext The HVM context may not fill up the full buffer passed by the caller. While we report corectly the size of the context, we will still be copying back the full size of the buffer. As the buffer is allocated through xmalloc(), we will be copying some bits from the previous allocation. Only copy back the part of the buffer used by the HVM context to prevent any leak. Note that per XSA-72, this is not a security issue. Signed-off-by: Julien Grall Reviewed-by: Jan Beulich master commit: 41d8869003e96d8b7250ad1d0246371d6929aca6 master date: 2020-01-31 18:51:38 +0000 --- xen/arch/x86/domctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 6aa42941b2..676b92203d 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -601,7 +601,7 @@ long arch_do_domctl( domain_unpause(d); domctl->u.hvmcontext.size = c.cur; - if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.size) != 0 ) + if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.cur) != 0 ) ret = -EFAULT; gethvmcontext_out: -- 2.30.2