diff mbox

virtio-gpu: fix information leak in capset get dispatch

Message ID 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com (mailing list archive)
State New, archived
Headers show

Commit Message

Li Qiang Nov. 1, 2016, 12:37 p.m. UTC 
From: Li Qiang <liqiang6-s@360.cn>

In virgl_cmd_get_capset function, it uses g_malloc to allocate
a response struct to the guest. As the 'resp'struct hasn't been full
initialized it will lead the 'resp->padding' field to the guest.
Use g_malloc0 to avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
---
 hw/display/virtio-gpu-3d.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Marc-André Lureau Nov. 1, 2016, 12:51 p.m. UTC | #1 
Hi

On Tue, Nov 1, 2016 at 3:38 PM Li Qiang <liq3ea@gmail.com> wrote:

> From: Li Qiang <liqiang6-s@360.cn>
>
> In virgl_cmd_get_capset function, it uses g_malloc to allocate
> a response struct to the guest. As the 'resp'struct hasn't been full
> initialized it will lead the 'resp->padding' field to the guest.
> Use g_malloc0 to avoid this.
>
> Signed-off-by: Li Qiang <liqiang6-s@360.cn>
>

I was about to point out this in the previous memset patch

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>


---
>  hw/display/virtio-gpu-3d.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
> index 23f39de..d98b140 100644
> --- a/hw/display/virtio-gpu-3d.c
> +++ b/hw/display/virtio-gpu-3d.c
> @@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
>
>      virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
>                                 &max_size);
> -    resp = g_malloc(sizeof(*resp) + max_size);
> +    resp = g_malloc0(sizeof(*resp) + max_size);
>
>      resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
>      virgl_renderer_fill_caps(gc.capset_id,
> --
> 1.8.3.1
>
>
> --
Marc-André Lureau
Li Qiang Dec. 13, 2016, 10:32 a.m. UTC | #2 
Ping!

2016-11-01 20:37 GMT+08:00 Li Qiang <liq3ea@gmail.com>:

> From: Li Qiang <liqiang6-s@360.cn>
>
> In virgl_cmd_get_capset function, it uses g_malloc to allocate
> a response struct to the guest. As the 'resp'struct hasn't been full
> initialized it will lead the 'resp->padding' field to the guest.
> Use g_malloc0 to avoid this.
>
> Signed-off-by: Li Qiang <liqiang6-s@360.cn>
> ---
>  hw/display/virtio-gpu-3d.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
> index 23f39de..d98b140 100644
> --- a/hw/display/virtio-gpu-3d.c
> +++ b/hw/display/virtio-gpu-3d.c
> @@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
>
>      virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
>                                 &max_size);
> -    resp = g_malloc(sizeof(*resp) + max_size);
> +    resp = g_malloc0(sizeof(*resp) + max_size);
>
>      resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
>      virgl_renderer_fill_caps(gc.capset_id,
> --
> 1.8.3.1
>
>
diff mbox

Patch

diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 23f39de..d98b140 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -371,7 +371,7 @@  static void virgl_cmd_get_capset(VirtIOGPU *g,
 
     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
                                &max_size);
-    resp = g_malloc(sizeof(*resp) + max_size);
+    resp = g_malloc0(sizeof(*resp) + max_size);
 
     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
     virgl_renderer_fill_caps(gc.capset_id,