From: Jan Beulich Date: Thu, 12 Oct 2017 12:43:26 +0000 (+0200) Subject: x86/HVM: prefill partially used variable on emulation paths X-Git-Tag: archive/raspbian/4.11.1-1+rpi1~1^2~66^2~1099 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0d4732ac29b63063764c29fa3bd8946daf67d6f3;p=xen.git x86/HVM: prefill partially used variable on emulation paths Certain handlers ignore the access size (vioapic_write() being the example this was found with), perhaps leading to subsequent reads seeing data that wasn't actually written by the guest. For consistency and extra safety also do this on the read path of hvm_process_io_intercept(), even if this doesn't directly affect what guests get to see, as we've supposedly already dealt with read handlers leaving data completely unitialized. This is XSA-239. Reported-by: Roger Pau Monné Reviewed-by: Roger Pau Monné Signed-off-by: Jan Beulich --- diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index d4fb37bbf8..e924ce07c4 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -131,7 +131,7 @@ static int hvmemul_do_io( .count = *reps, .dir = dir, .df = df, - .data = data, + .data = data_is_addr ? data : 0, .data_is_ptr = data_is_addr, /* ioreq_t field name is misleading */ .state = STATE_IOREQ_READY, }; diff --git a/xen/arch/x86/hvm/intercept.c b/xen/arch/x86/hvm/intercept.c index ef82419bfd..2bc156df29 100644 --- a/xen/arch/x86/hvm/intercept.c +++ b/xen/arch/x86/hvm/intercept.c @@ -127,6 +127,7 @@ int hvm_process_io_intercept(const struct hvm_io_handler *handler, addr = (p->type == IOREQ_TYPE_COPY) ? p->addr + step * i : p->addr; + data = 0; rc = ops->read(handler, addr, p->size, &data); if ( rc != X86EMUL_OKAY ) break; @@ -161,6 +162,7 @@ int hvm_process_io_intercept(const struct hvm_io_handler *handler, { if ( p->data_is_ptr ) { + data = 0; switch ( hvm_copy_from_guest_phys(&data, p->data + step * i, p->size) ) {