Commit 1d6a8212 authored Feb 15, 2016 by Marc Zyngier

arm/arm64: KVM: Feed initialized memory to MMIO accesses



On an MMIO access, we always copy the on-stack buffer info
the shared "run" structure, even if this is a read access.
This ends up leaking up to 8 bytes of uninitialized memory
into userspace, depending on the size of the access.

An obvious fix for this one is to only perform the copy if
this is an actual write.

Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>

parent 236cf17c

arch/arm/kvm/mmio.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -206,6 +206,7 @@ int io_mem_abort(struct kvm_vcpu vcpu, struct kvm_run run,
		run->mmio.is_write = is_write;
		run->mmio.phys_addr = fault_ipa;
		run->mmio.len = len;
		if (is_write)
		memcpy(run->mmio.data, data_buf, len);

		if (!ret) {