From patchwork Tue Nov  1 09:53:11 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Qiang <liq3ea@gmail.com>
X-Patchwork-Id: 9407091
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A42D360585 for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue,  1 Nov 2016 09:53:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 81950296B4
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue,  1 Nov 2016 09:53:59 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 75427296B6; Tue,  1 Nov 2016 09:53:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 557BB296B4
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue,  1 Nov 2016 09:53:57 +0000 (UTC)
Received: from localhost ([::1]:46583 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1c1VlU-0007Ni-Sd for patchwork-qemu-devel@patchwork.kernel.org;
	Tue, 01 Nov 2016 05:53:56 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47754)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1c1VlD-0007NY-EN
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 05:53:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1c1VlA-0006Lo-DS
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 05:53:39 -0400
Received: from mail-oi0-x241.google.com ([2607:f8b0:4003:c06::241]:34127)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <liq3ea@gmail.com>) id 1c1VlA-0006Lh-7k
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 05:53:36 -0400
Received: by mail-oi0-x241.google.com with SMTP id 62so13090770oif.1
	for <qemu-devel@nongnu.org>; Tue, 01 Nov 2016 02:53:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:from:to:cc:subject:date;
	bh=uczMqE72Se6sDh/sLMlGqFf8kgZYmkdRxSsY/Si7iXo=;
	b=cgjmWyz7ailQj87ib4fY41rJPNuevkLIeFKOOVC7HYJbRL1bFuzzXeEp5Sp0I4T0Ow
	kk/SSyfHTqbIUi8RhCPRuW349n4saiBs7ofEzwzU9BZObPjbsfCsga6fkivwSYtGmj+7
	ZvO74leYAgSp7IPKztMDDGTCkHlkgVGvXdvc0yFP+jrGPJdDMdQvA6C9CLG6Jd9HuRoo
	4fKC2M4BhuVGYESHpwR4YakEgvn5k9OsrReJnoD8SGYeVizzTJSADMtrBR+L4KHTcmb6
	hqny0xntZpLQtUTjpxYXNjGc0Nh+H8jHr+vzRS9x2ssnTn2vyyaAmG2b6nSW7TqUTaSA
	T28Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:message-id:from:to:cc:subject:date;
	bh=uczMqE72Se6sDh/sLMlGqFf8kgZYmkdRxSsY/Si7iXo=;
	b=BLC28ADPzegIglkisijWfjNqQePSlPZcwx2qWHdfHE/t8tkhJS7+2QkjmHgyC7yTUR
	FqewvBz3ekKnuJ/ut3rkhU9+CWy8NcL0FoFoeInAW3hsXqmhO+reYq4LRG8KuYjhtF8G
	Z2kR18eXkSNifkJkRV0Vpf+jaxwaL3vAmYPdrSP+PXYQdDRcndL56GXvB9u99W6xVKKp
	wFQbZ3nQf+SGi7i72fLrdUwI7EgYNPddEIxq7rIs/jp0Es1+5+SNcOYfeljaAXQr4GqO
	c+ZXmzR1+kRKQdZeolUl36kdz/WdvlYkbm81sA+ShpsIXPPglrJbJGPWcfZr/ptzqepe
	nJJA==
X-Gm-Message-State: 
 ABUngvf7A9tfWptj1kNwt/LhJGIjBmzlRiR80Z6NQ3efJULPvQAur+dmmiLSEOIJSXBTRA==
X-Received: by 10.107.168.223 with SMTP id e92mr310865ioj.40.1477994015034;
	Tue, 01 Nov 2016 02:53:35 -0700 (PDT)
Received: from localhost.localdomain.localdomain ([104.192.110.250])
	by smtp.gmail.com with ESMTPSA id
	i8sm10276234itc.11.2016.11.01.02.53.32
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 01 Nov 2016 02:53:34 -0700 (PDT)
Message-ID: <5818661e.0860240a.77264.7a56@mx.google.com>
X-Google-Original-Message-ID: 
 <1477993991-10537-1-git-send-email-Qiang(liqiang6-s@360.cn)>
From: Li Qiang <liq3ea@gmail.com>
X-Google-Original-From: Li Qiang(liqiang6-s@360.cn)
To: kraxel@redhat.com,
	qemu-devel@nongnu.org
Date: Tue,  1 Nov 2016 02:53:11 -0700
X-Mailer: git-send-email 1.8.3.1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2607:f8b0:4003:c06::241
Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in getting
	capset info dispatch
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Li Qiang <liqiang6-s@360.cn>
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Li Qiang <liqiang6-s@360.cn>

In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
been full initialized before writing to the guest. This will leak
the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
patch fix this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
---
 hw/display/virtio-gpu-3d.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 758d33a..23f39de 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
 
     VIRTIO_GPU_FILL_CMD(info);
 
+    memset(&resp, 0, sizeof(resp));
     if (info.capset_index == 0) {
         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
         virgl_renderer_get_cap_set(resp.capset_id,