File 59db60d9-domctl-fix-heap-leak-via-XEN_DOMCTL_getvcpucontext.patch of Package xen.7317

# Commit 3b2eeb7412e529f38d1e8b872ba0bc6ab09a7008
# Date 2017-10-09 12:43:21 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
xen/domctl: Fix Xen heap leak via XEN_DOMCTL_getvcpucontext

The backing structure for XEN_DOMCTL_getvcpucontext is only zeroed in the x86
HVM case.  At the very least, this means that ARM returns junk through its
flags field (as it is only ever conditionally or'd into), and x86 PV leaks
data through gdt_frames[14...15].  (An exhaustive search for other leaks
hasn't been performed).

Unconditionally zero the memory upon allocation, and forgo the double clear
for x86 HVM.  These hypercalls are not on hotpaths.

Note that this does not qualify for an XSA.  Per XSA-77,
XEN_DOMCTL_getvcpucontext is unsafe for disaggregation, meaning that only the
control domain can use this hypercall.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -1298,8 +1298,6 @@ void arch_get_info_guest(struct vcpu *v,
     bool_t compat = is_pv_32on64_domain(v->domain);
 #define c(fld) (!compat ? (c.nat->fld) : (c.cmp->fld))
 
-    if ( !is_pv_vcpu(v) )
-        memset(c.nat, 0, sizeof(*c.nat));
     memcpy(&c.nat->fpu_ctxt, v->arch.fpu_ctxt, sizeof(c.nat->fpu_ctxt));
     c(flags = v->arch.vgc_flags & ~(VGCF_i387_valid|VGCF_in_kernel));
     if ( v->fpu_initialised )
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -636,7 +636,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
                      < sizeof(struct compat_vcpu_guest_context));
 #endif
         ret = -ENOMEM;
-        if ( (c.nat = xmalloc(struct vcpu_guest_context)) == NULL )
+        if ( (c.nat = xzalloc(struct vcpu_guest_context)) == NULL )
             goto getvcpucontext_out;
 
         vcpu_pause(v);