diff options
| author |   Marc Zyngier <marc.zyngier@arm.com> | 2016-02-15 17:04:04 +0000 |
|---|---|---|
| committer | Marc Zyngier <marc.zyngier@arm.com> | 2016-02-24 11:53:09 +0000 |
| commit | 1d6a821277aaa0cdd666278aaff93298df313d41 (patch) | |
| tree | 1e2326fcf2543367d7b7b47166eb2191224940e2 | |
| parent | KVM: arm/arm64: vgic: Ensure bitmaps are long enough (diff) | |
| download | linux-dev-1d6a821277aaa0cdd666278aaff93298df313d41.tar.xz linux-dev-1d6a821277aaa0cdd666278aaff93298df313d41.zip | |
arm/arm64: KVM: Feed initialized memory to MMIO accesses
On an MMIO access, we always copy the on-stack buffer info
the shared "run" structure, even if this is a read access.
This ends up leaking up to 8 bytes of uninitialized memory
into userspace, depending on the size of the access.
An obvious fix for this one is to only perform the copy if
this is an actual write.
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
| -rw-r--r-- | arch/arm/kvm/mmio.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c index 7f33b2056ae6..0f6600f05137 100644 --- a/arch/arm/kvm/mmio.c +++ b/arch/arm/kvm/mmio.c @@ -206,7 +206,8 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, run->mmio.is_write = is_write; run->mmio.phys_addr = fault_ipa; run->mmio.len = len; - memcpy(run->mmio.data, data_buf, len); + if (is_write) + memcpy(run->mmio.data, data_buf, len); if (!ret) { /* We handled the access successfully in the kernel. */ |