diff mbox series

xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext

Message ID 20200127134800.15078-1-julien@xen.org (mailing list archive)
State New, archived
Headers show
Series xen/x86: domctl: Don't leak data via XEN_DOMCTL_gethvmcontext | expand

Commit Message

Julien Grall Jan. 27, 2020, 1:48 p.m. UTC
From: Julien Grall <jgrall@amazon.com>

The HVM context may not fill up the full buffer passed by the caller.
While we report corectly the size of the context, we will still be
copying back the full size of the buffer.

As the buffer is allocated through xmalloc(), we will be copying some
bits from the previous allocation.

Only copy back the part of the buffer used by the HVM context to prevent
any leak.

Note that per XSA-72, this is not a security issue.

Signed-off-by: Julien Grall <jgrall@amazon.com>
---
 xen/arch/x86/domctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jan Beulich Jan. 27, 2020, 2:53 p.m. UTC | #1
On 27.01.2020 14:48, Julien Grall wrote:
> From: Julien Grall <jgrall@amazon.com>
> 
> The HVM context may not fill up the full buffer passed by the caller.
> While we report corectly the size of the context, we will still be
> copying back the full size of the buffer.
> 
> As the buffer is allocated through xmalloc(), we will be copying some
> bits from the previous allocation.
> 
> Only copy back the part of the buffer used by the HVM context to prevent
> any leak.
> 
> Note that per XSA-72, this is not a security issue.
> 
> Signed-off-by: Julien Grall <jgrall@amazon.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff mbox series

Patch

diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 5ed63ac10a..4fa9c91140 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -540,7 +540,7 @@  long arch_do_domctl(
         domain_unpause(d);
 
         domctl->u.hvmcontext.size = c.cur;
-        if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.size) != 0 )
+        if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.cur) != 0 )
             ret = -EFAULT;
 
     gethvmcontext_out: