Message ID | 20200127134800.15078-1-julien@xen.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext | expand |
On 27.01.2020 14:48, Julien Grall wrote: > From: Julien Grall <jgrall@amazon.com> > > The HVM context may not fill up the full buffer passed by the caller. > While we report corectly the size of the context, we will still be > copying back the full size of the buffer. > > As the buffer is allocated through xmalloc(), we will be copying some > bits from the previous allocation. > > Only copy back the part of the buffer used by the HVM context to prevent > any leak. > > Note that per XSA-72, this is not a security issue. > > Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 5ed63ac10a..4fa9c91140 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -540,7 +540,7 @@ long arch_do_domctl( domain_unpause(d); domctl->u.hvmcontext.size = c.cur; - if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.size) != 0 ) + if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.cur) != 0 ) ret = -EFAULT; gethvmcontext_out: