File 59df636e-x86-HVM-prefill-partially-used-var.patch of Package xen.7317
# Commit 0d4732ac29b63063764c29fa3bd8946daf67d6f3
# Date 2017-10-12 14:43:26 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: prefill partially used variable on emulation paths
Certain handlers ignore the access size (vioapic_write() being the
example this was found with), perhaps leading to subsequent reads
seeing data that wasn't actually written by the guest. For
consistency and extra safety also do this on the read path of
hvm_process_io_intercept(), even if this doesn't directly affect what
guests get to see, as we've supposedly already dealt with read handlers
leaving data completely unitialized.
This is XSA-239.
Reported-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/hvm/intercept.c
+++ b/xen/arch/x86/hvm/intercept.c
@@ -55,6 +55,7 @@ static int hvm_mmio_access(struct vcpu *
{
if ( p->dir == IOREQ_READ )
{
+ data = 0;
if ( vio->mmio_retrying )
{
if ( vio->mmio_large_read_bytes != p->size )
@@ -76,6 +77,7 @@ static int hvm_mmio_access(struct vcpu *
{
for ( i = 0; i < p->count; i++ )
{
+ data = 0;
if ( vio->mmio_retrying )
{
if ( vio->mmio_large_read_bytes != p->size )
@@ -124,6 +126,7 @@ static int hvm_mmio_access(struct vcpu *
{
for ( i = 0; i < p->count; i++ )
{
+ data = 0;
switch ( hvm_copy_from_guest_phys(&data, p->data + step * i,
p->size) )
{
@@ -222,6 +225,7 @@ static int process_portio_intercept(port
{
if ( p->dir == IOREQ_READ )
{
+ data = 0;
if ( vio->mmio_retrying )
{
if ( vio->mmio_large_read_bytes != p->size )
@@ -246,6 +250,7 @@ static int process_portio_intercept(port
{
for ( i = 0; i < p->count; i++ )
{
+ data = 0;
if ( vio->mmio_retrying )
{
if ( vio->mmio_large_read_bytes != p->size )
