From patchwork Tue Jun 27 22:04:41 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefano Stabellini <sstabellini@kernel.org>
X-Patchwork-Id: 9813183
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7D60F603D7 for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 27 Jun 2017 22:07:49 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7687526E16
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 27 Jun 2017 22:07:49 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6B31E26E39; Tue, 27 Jun 2017 22:07:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id DB2B026E46
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 27 Jun 2017 22:07:48 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1dPybO-0002zO-4q; Tue, 27 Jun 2017 22:04:54 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <sstabellini@kernel.org>) id 1dPybM-0002yw-Ib
	for xen-devel@lists.xenproject.org; Tue, 27 Jun 2017 22:04:52 +0000
Received: from [193.109.254.147] by server-4.bemta-6.messagelabs.com id
	72/D2-02962-386D2595; Tue, 27 Jun 2017 22:04:51 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBLMWRWlGSWpSXmKPExsVybKJssm7ztaB
	Ig0s3+S2+b5nM5MDocfjDFZYAxijWzLyk/IoE1oxlv5exFCwVqfh+spOxgXElfxcjF4eQwDom
	iSsze1i6GDk5WAQcJI53fmTtYuTgYBSIkXjwwxokzCgQJjH58hJWEJtNwFDi75NNbCC2CJD9Y
	OtyVpA5zALLGSWmNv8GSwgLuEq8ebEYbA6LgKrE5vdxIGFeATeJ+dNuMYHYEgJyEiePTQabyS
	ngIzH14QYwW0jAW2LpyoVMExh5FzAyrGJUL04tKkst0jXVSyrKTM8oyU3MzNE1NDDTy00tLk5
	MT81JTCrWS87P3cQIDAUGINjBOP2y/yFGSQ4mJVHeU51BkUJ8SfkplRmJxRnxRaU5qcWHGGU4
	OJQkeF9eAcoJFqWmp1akZeYAgxImLcHBoyTC63cVKM1bXJCYW5yZDpE6xajLsWH1+i9MQix5+
	XmpUuK8b0FmCIAUZZTmwY2ARcglRlkpYV5GoKOEeApSi3IzS1DlXzGKczAqCfPWXgaawpOZVw
	K36RXQEUxAR7DMCwA5oiQRISXVwOgmdFCj+9TcdVuUjA2uH9g0+4T5QU7NmeLpfYyVK6yDHed
	+mJ090+TXhFQvp8Upf39/cn368fNqdZMYc0b78CsZp2raWp/5RG/Slm2ek5obtuN1lsRJJqGm
	V9POT7gQX5wtrcUeyx8z/YuE/xdhhppa9s49FQuyt3mIrrh8RaWG9/zsiYp3VJVYijMSDbWYi
	4oTAfidWqiLAgAA
X-Env-Sender: sstabellini@kernel.org
X-Msg-Ref: server-16.tower-27.messagelabs.com!1498601090!109424218!1
X-Originating-IP: [198.145.29.99]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.4.19; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 50914 invoked from network); 27 Jun 2017 22:04:51 -0000
Received: from mail.kernel.org (HELO mail.kernel.org) (198.145.29.99)
	by server-16.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384
	encrypted SMTP; 27 Jun 2017 22:04:51 -0000
Received: from localhost.localdomain
	(162-198-228-33.lightspeed.wlfrct.sbcglobal.net [162.198.228.33])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 28282214D7;
	Tue, 27 Jun 2017 22:04:49 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 28282214D7
From: Stefano Stabellini <sstabellini@kernel.org>
To: peter.maydell@linaro.org,
	stefanha@gmail.com
Date: Tue, 27 Jun 2017 15:04:41 -0700
Message-Id: <1498601083-11799-1-git-send-email-sstabellini@kernel.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <alpine.DEB.2.10.1706271456310.24648@sstabellini-ThinkPad-X260>
References: <alpine.DEB.2.10.1706271456310.24648@sstabellini-ThinkPad-X260>
Cc: sstabellini@kernel.org, stefanha@redhat.com, qemu-devel@nongnu.org,
	Jan Beulich <jbeulich@suse.com>, anthony.perard@citrix.com,
	xen-devel@lists.xenproject.org
Subject: [Xen-devel] [PULL 1/3] xen/disk: don't leak stack data via response
	ring
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Rather than constructing a local structure instance on the stack, fill
the fields directly on the shared ring, just like other (Linux)
backends do. Build on the fact that all response structure flavors are
actually identical (aside from alignment and padding at the end).

This is XSA-216.

Reported by: Anthony Perard <anthony.perard@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
---
 hw/block/xen_disk.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index 3a22805..9200511 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -769,31 +769,30 @@ static int blk_send_response_one(struct ioreq *ioreq)
     struct XenBlkDev  *blkdev = ioreq->blkdev;
     int               send_notify   = 0;
     int               have_requests = 0;
-    blkif_response_t  resp;
-    void              *dst;
-
-    resp.id        = ioreq->req.id;
-    resp.operation = ioreq->req.operation;
-    resp.status    = ioreq->status;
+    blkif_response_t  *resp;
 
     /* Place on the response ring for the relevant domain. */
     switch (blkdev->protocol) {
     case BLKIF_PROTOCOL_NATIVE:
-        dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt);
+        resp = (blkif_response_t *) RING_GET_RESPONSE(&blkdev->rings.native,
+                                 blkdev->rings.native.rsp_prod_pvt);
         break;
     case BLKIF_PROTOCOL_X86_32:
-        dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
-                                blkdev->rings.x86_32_part.rsp_prod_pvt);
+        resp = (blkif_response_t *) RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
+                                 blkdev->rings.x86_32_part.rsp_prod_pvt);
         break;
     case BLKIF_PROTOCOL_X86_64:
-        dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
-                                blkdev->rings.x86_64_part.rsp_prod_pvt);
+        resp = (blkif_response_t *) RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
+                                 blkdev->rings.x86_64_part.rsp_prod_pvt);
         break;
     default:
-        dst = NULL;
         return 0;
     }
-    memcpy(dst, &resp, sizeof(resp));
+
+    resp->id        = ioreq->req.id;
+    resp->operation = ioreq->req.operation;
+    resp->status    = ioreq->status;
+
     blkdev->rings.common.rsp_prod_pvt++;
 
     RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);