Am 30.10.2010 16:11, Vasiliy Kulikov wrote: > Structure kvm_ppc_pvinfo is copied to userland with pad field > unitialized. Structure kvm_clock_data is copied to userland with > flags and pad fields unitialized. It leads to leaking of contents > of kernel stack memory.
This description only partially matches your patch, please fix. > > Signed-off-by: Vasiliy Kulikov <[email protected]> > --- > I cannot compile this driver, so it is not tested at all. Why? It should be compilable (provided you have a x86 toolchain). > > As it is not compilable, I've missed and typed wrong var name in v1, sorry. > > arch/x86/kvm/x86.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index b0818f6..261f3d0 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -2896,6 +2896,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp, > case KVM_GET_DEBUGREGS: { > struct kvm_debugregs dbgregs; > > + memset(&dbgregs, 0, sizeof(dbgregs)); > kvm_vcpu_ioctl_x86_get_debugregs(vcpu, &dbgregs); > > r = -EFAULT; > @@ -3481,11 +3482,11 @@ long kvm_arch_vm_ioctl(struct file *filp, > struct kvm_clock_data user_ns; > u64 now_ns; > > + memset(&user_ns, 0, sizeof(user_ns)); > local_irq_disable(); > now_ns = get_kernel_ns(); > user_ns.clock = kvm->arch.kvmclock_offset + now_ns; > local_irq_enable(); > - user_ns.flags = 0; > > r = -EFAULT; > if (copy_to_user(argp, &user_ns, sizeof(user_ns))) I would rather clear the padding/reserved fields (in both cases). No need to double-initialize properly set fields. There are more interfaces in KVM for obtaining data from the kernel via padded structures. Did you check them all (kvm_vcpu_events come to my mind)? Nevertheless, looks like a worthwhile hardening of the KVM interfaces. Thanks, Jan
signature.asc
Description: OpenPGP digital signature
