From patchwork Mon Jan 27 13:48:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Grall <julien@xen.org>
X-Patchwork-Id: 11352687
Return-Path: <SRS0=EHzT=3Q=lists.xenproject.org=xen-devel-bounces@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0A33E1398
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Mon, 27 Jan 2020 13:49:18 +0000 (UTC)
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id E45AF207FD
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Mon, 27 Jan 2020 13:49:17 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E45AF207FD
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=xen.org
Authentication-Results: mail.kernel.org;
 spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.89)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1iw4kH-0005E5-Sg; Mon, 27 Jan 2020 13:48:05 +0000
Received: from us1-rack-iad1.inumbo.com ([172.99.69.81])
 by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from
 <SRS0=X640=3Q=gmail.com=julien.grall.oss@srs-us1.protection.inumbo.net>)
 id 1iw4kG-0005Dy-Lo
 for xen-devel@lists.xenproject.org; Mon, 27 Jan 2020 13:48:04 +0000
X-Inumbo-ID: a3cda92a-410b-11ea-9fd7-bc764e2007e4
Received: from mail-wm1-f65.google.com (unknown [209.85.128.65])
 by us1-rack-iad1.inumbo.com (Halon) with ESMTPS
 id a3cda92a-410b-11ea-9fd7-bc764e2007e4;
 Mon, 27 Jan 2020 13:48:04 +0000 (UTC)
Received: by mail-wm1-f65.google.com with SMTP id s10so3306319wmh.3
 for <xen-devel@lists.xenproject.org>; Mon, 27 Jan 2020 05:48:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=NP0Q7xGFN+U3S+w3O1piz8kR6YlhwbCyBmfMQBTHh2o=;
 b=IL9M6WUEkMISDDLnwtByZtbXDU6LxxlKoLekFg8WU6knUYs/VbGmBPUHb1kEJYhmwv
 sbYCCBuP83NlowW3msNROEU76FPW1X1+9VIOik+kSTNd/TctButv8chjnrLIPBs9O2H0
 7EHma8wIn77hzhiiSn8rAcDLfRio6amp9/BN1TzLxKajYjUIb9nZqX+riHNjXmGMcP5F
 AZqLBM6JPJ9fMyOifufygqL3tF50yz9xu2cnlV/5NkZ57HHNCbpi/AepZnEncbVtOX1X
 2+Dxukom91wpLKbiWHnyxCLWbT8RHcAOJAkFhjnYBIoUgW6Gck6eT9tgm4EjjCJ9F2uB
 L6wQ==
X-Gm-Message-State: APjAAAWVbX+K6+sglfc7UrAuW/XF5AY4tqOjdxrOqRYd68HN09yFPt+d
 bjsvr7gQtYXpVgwPqeYTwCx7sdL59emIXQ==
X-Google-Smtp-Source: 
 APXvYqwyD4WvqQj84Fcdy+bMa8Wlm8Tj9p5IKs1kL8xFmxMERINwp4/Ra23dC8jfD+YzZMQb/zG3XQ==
X-Received: by 2002:a05:600c:d7:: with SMTP id
 u23mr14259214wmm.145.1580132883087;
 Mon, 27 Jan 2020 05:48:03 -0800 (PST)
Received: from ufe34d9ed68d054.ant.amazon.com (54-240-197-235.amazon.com.
 [54.240.197.235])
 by smtp.gmail.com with ESMTPSA id i204sm18149610wma.44.2020.01.27.05.48.01
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 27 Jan 2020 05:48:02 -0800 (PST)
From: Julien Grall <julien@xen.org>
To: xen-devel@lists.xenproject.org
Date: Mon, 27 Jan 2020 13:48:00 +0000
Message-Id: <20200127134800.15078-1-julien@xen.org>
X-Mailer: git-send-email 2.17.1
Subject: [Xen-devel] [PATCH] xen/x86: domctl: Don't leak data via
 XEN_DOMCTL_gethvmcontext
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
 Julien Grall <jgrall@amazon.com>, Wei Liu <wl@xen.org>, =?utf-8?q?Roger_Pau?=
	=?utf-8?q?_Monn=C3=A9?= <roger.pau@citrix.com>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

From: Julien Grall <jgrall@amazon.com>

The HVM context may not fill up the full buffer passed by the caller.
While we report corectly the size of the context, we will still be
copying back the full size of the buffer.

As the buffer is allocated through xmalloc(), we will be copying some
bits from the previous allocation.

Only copy back the part of the buffer used by the HVM context to prevent
any leak.

Note that per XSA-72, this is not a security issue.

Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/arch/x86/domctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 5ed63ac10a..4fa9c91140 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -540,7 +540,7 @@ long arch_do_domctl(
         domain_unpause(d);
 
         domctl->u.hvmcontext.size = c.cur;
-        if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.size) != 0 )
+        if ( copy_to_guest(domctl->u.hvmcontext.buffer, c.data, c.cur) != 0 )
             ret = -EFAULT;
 
     gethvmcontext_out: