| Message ID | 20181107224306.87011-1-liran.alon@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | KVM: x86: Fix kernel info-leak in KVM_HC_CLOCK_PAIRING hypercall | expand |
On 07/11/18 23:43, Liran Alon wrote: > kvm_pv_clock_pairing() allocates local var > "struct kvm_clock_pairing clock_pairing" on stack and initializes > all it's fields besides padding (clock_pairing.pad[]). > > Because clock_pairing var is written completely (including padding) > to guest memory, failure to init struct padding results in kernel > info-leak. > > Fix the issue by making sure to also init the padding with zeroes. > > Fixes: 55dd00a73a51 ("KVM: x86: add KVM_HC_CLOCK_PAIRING hypercall") > > Reported-by: syzbot+a8ef68d71211ba264f56@syzkaller.appspotmail.com > Reviewed-by: Mark Kanda <mark.kanda@oracle.com> > Signed-off-by: Liran Alon <liran.alon@oracle.com> > --- > arch/x86/kvm/x86.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 6095c8431b11..9db4fb6a372c 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -7034,6 +7034,7 @@ static int kvm_pv_clock_pairing(struct kvm_vcpu *vcpu, gpa_t paddr, > clock_pairing.nsec = ts.tv_nsec; > clock_pairing.tsc = kvm_read_l1_tsc(vcpu, cycle); > clock_pairing.flags = 0; > + memset(&clock_pairing.pad, 0, sizeof(clock_pairing.pad)); > > ret = 0; > if (kvm_write_guest(vcpu->kvm, paddr, &clock_pairing, > Queued, thanks. Paolo
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 6095c8431b11..9db4fb6a372c 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -7034,6 +7034,7 @@ static int kvm_pv_clock_pairing(struct kvm_vcpu *vcpu, gpa_t paddr, clock_pairing.nsec = ts.tv_nsec; clock_pairing.tsc = kvm_read_l1_tsc(vcpu, cycle); clock_pairing.flags = 0; + memset(&clock_pairing.pad, 0, sizeof(clock_pairing.pad)); ret = 0; if (kvm_write_guest(vcpu->kvm, paddr, &clock_pairing,
kvm_pv_clock_pairing() allocates local var "struct kvm_clock_pairing clock_pairing" on stack and initializes all it's fields besides padding (clock_pairing.pad[]). Because clock_pairing var is written completely (including padding) to guest memory, failure to init struct padding results in kernel info-leak. Fix the issue by making sure to also init the padding with zeroes. Fixes: 55dd00a73a51 ("KVM: x86: add KVM_HC_CLOCK_PAIRING hypercall") Reported-by: syzbot+a8ef68d71211ba264f56@syzkaller.appspotmail.com Reviewed-by: Mark Kanda <mark.kanda@oracle.com> Signed-off-by: Liran Alon <liran.alon@oracle.com> --- arch/x86/kvm/x86.c | 1 + 1 file changed, 1 insertion(+)