mshv_vtl_hvcall_call() copies output_size bytes to userspace. The output page is freshly allocated. Userspace chooses the copyout length.
If the hypercall writes less, the tail can contain stale page data. Clear the copied range before issuing the hypercall. Also check both bounce page allocations before either page is used. Signed-off-by: Yousef Alhouseen <[email protected]> --- Changes in v2: - Use the mshv_vtl subject prefix. - Clear only the requested output byte range instead of the whole page. - Add a comment explaining why the output range is cleared. - Keep free_page() calls unconditional. - v1: https://lore.kernel.org/r/[email protected] drivers/hv/mshv_vtl_main.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/hv/mshv_vtl_main.c b/drivers/hv/mshv_vtl_main.c index 0d3d41619..dbf03b667 100644 --- a/drivers/hv/mshv_vtl_main.c +++ b/drivers/hv/mshv_vtl_main.c @@ -1148,12 +1148,22 @@ static int mshv_vtl_hvcall_call(struct mshv_vtl_hvcall_fd *fd, */ in = (void *)__get_free_page(GFP_KERNEL); out = (void *)__get_free_page(GFP_KERNEL); + if (!in || !out) { + ret = -ENOMEM; + goto free_pages; + } if (copy_from_user(in, (void __user *)hvcall.input_ptr, hvcall.input_size)) { ret = -EFAULT; goto free_pages; } + /* + * The caller supplies output_size, so clear the range copied back to + * userspace in case the hypercall writes fewer bytes than requested. + */ + memset(out, 0, hvcall.output_size); + hvcall.status = hv_do_hypercall(hvcall.control, in, out); if (copy_to_user((void __user *)hvcall.output_ptr, out, hvcall.output_size)) { -- 2.54.0
