From 0d4732ac29b63063764c29fa3bd8946daf67d6f3 Mon Sep 17 00:00:00 2001 From: Jan Beulich Date: Thu, 12 Oct 2017 14:43:26 +0200 Subject: [PATCH] x86/HVM: prefill partially used variable on emulation paths MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Certain handlers ignore the access size (vioapic_write() being the example this was found with), perhaps leading to subsequent reads seeing data that wasn't actually written by the guest. For consistency and extra safety also do this on the read path of hvm_process_io_intercept(), even if this doesn't directly affect what guests get to see, as we've supposedly already dealt with read handlers leaving data completely unitialized. This is XSA-239. Reported-by: Roger Pau Monné Reviewed-by: Roger Pau Monné Signed-off-by: Jan Beulich --- xen/arch/x86/hvm/emulate.c | 2 +- xen/arch/x86/hvm/intercept.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c index d4fb37bbf8..e924ce07c4 100644 --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -131,7 +131,7 @@ static int hvmemul_do_io( .count = *reps, .dir = dir, .df = df, - .data = data, + .data = data_is_addr ? data : 0, .data_is_ptr = data_is_addr, /* ioreq_t field name is misleading */ .state = STATE_IOREQ_READY, }; diff --git a/xen/arch/x86/hvm/intercept.c b/xen/arch/x86/hvm/intercept.c index ef82419bfd..2bc156df29 100644 --- a/xen/arch/x86/hvm/intercept.c +++ b/xen/arch/x86/hvm/intercept.c @@ -127,6 +127,7 @@ int hvm_process_io_intercept(const struct hvm_io_handler *handler, addr = (p->type == IOREQ_TYPE_COPY) ? p->addr + step * i : p->addr; + data = 0; rc = ops->read(handler, addr, p->size, &data); if ( rc != X86EMUL_OKAY ) break; @@ -161,6 +162,7 @@ int hvm_process_io_intercept(const struct hvm_io_handler *handler, { if ( p->data_is_ptr ) { + data = 0; switch ( hvm_copy_from_guest_phys(&data, p->data + step * i, p->size) ) { -- 2.30.2