virtio-gpu: fix information leak in getting capset info dispatch

Commit Message

Li Qiang Nov. 1, 2016, 9:53 a.m. UTC

From: Li Qiang <liqiang6-s@360.cn>

In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
been full initialized before writing to the guest. This will leak
the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
patch fix this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
---
 hw/display/virtio-gpu-3d.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Gerd Hoffmann Nov. 1, 2016, 11:13 a.m. UTC | #1

On Di, 2016-11-01 at 02:53 -0700, Li Qiang wrote:
> From: Li Qiang <liqiang6-s@360.cn>
> 
> In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
> been full initialized before writing to the guest. This will leak
> the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
> patch fix this issue.
> 
> Signed-off-by: Li Qiang <liqiang6-s@360.cn>

Added to vga queue.

thanks,
  Gerd

Patch

diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 758d33a..23f39de 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -347,6 +347,7 @@  static void virgl_cmd_get_capset_info(VirtIOGPU *g,
 
     VIRTIO_GPU_FILL_CMD(info);
 
+    memset(&resp, 0, sizeof(resp));
     if (info.capset_index == 0) {
         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
         virgl_renderer_get_cap_set(resp.capset_id,