Received: by 10.213.65.68 with SMTP id h4csp1389511imn; Wed, 14 Mar 2018 20:09:51 -0700 (PDT) X-Google-Smtp-Source: AG47ELsvdz8vXH7D8usRYSRT9fnilrTAPI/+ZaChJ08ejqpwLjWDWee+b08eykHYRTAhnLyh2MFw X-Received: by 2002:a17:902:566:: with SMTP id 93-v6mr6123467plf.327.1521083391000; Wed, 14 Mar 2018 20:09:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521083390; cv=none; d=google.com; s=arc-20160816; b=c34Ez7Dm1MxMom109ttTlvfiesrccdSMj5oxDSKOgIY0MJfg2e9xFMSpVZOBz3/kAu z4Ag+492sfwurVfaw2c39Ssk5TXlQYGKuRH3PO39TkTt9mF8nWVSfri8Wr+XUMKQgg7H 4Y9bLckLB5KwYSw+XPWDt3Mvr2PyYNYV3A79wsWkmxcvqRW0RUFEjHKL3aRyXbGT7urC IKg+L+aq8a6P20X1W+l2dlxM1Z8gVN76yr766CcqmpfbvUx5vPr0nXNSo5PP9x2pPeB+ WBlc44spUZQ5S3dLiPhmf93LOxvyqcVeFpFBTAL7NUBgO4PvpdPW6CwM2e6G2Q/4q5Hj ZK+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=pkpzIkaUK0FtRB8wJJXZGlq7yHLRlscRjSeLS7NGiTE=; b=uUxjxh9RPZRl/32wEZZ42j7aOXPepvmjXo32sOZbnzlvNom0ANeBc72hy1ZiJtgiry UHrVibHT+axK/ZdxJAaYKHkVVRaDgEJ4+ud/1++Lht+OcbN2bX8kHsViUINvWEa6rnHZ tJuNC+jze20G8QZSy0zj9Rw0hBQc4JM1KHkElsGYkhM7IA6Or6S5KZFjDhJtjU+ZB3US EXa9DAwWadHwfKGUAjk4dVm3gZ/LzXvIy9vTtRQ0ZNdyQ3Mk242wg/GVHl+1KVdUxg8X BSrgOgDIrZDujtF7SJUdJoWS6eKVP1ohcAXLZYFt1uSs6grHeeN7O6FJbkXeAFIAgply PuuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=lUw7rPFe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4-v6si3055692plb.179.2018.03.14.20.09.36; Wed, 14 Mar 2018 20:09:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=lUw7rPFe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752137AbeCODIo (ORCPT + 99 others); Wed, 14 Mar 2018 23:08:44 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:46675 "EHLO out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751682AbeCODIn (ORCPT ); Wed, 14 Mar 2018 23:08:43 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id E0CBC20D5E; Wed, 14 Mar 2018 23:08:42 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Wed, 14 Mar 2018 23:08:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=pkpzIkaUK0FtRB8wJ JXZGlq7yHLRlscRjSeLS7NGiTE=; b=lUw7rPFeIpc7LiXo3wQmlYFwohSjJkd2E o/7TEjkJh4dxgGRvxkY+Msr6H42n0rTVf7ch7CXi3EKUi9OwX8xhp76hxxaRHH0V dz1NfTNbMnohQUOutUSeBdO/y5AdewmdpXFN2zNQ/6RD1gJ1loKN/ZdcYpNZ2kzN NIcEYwmZC9tRUcv1BZrsqF1GludBimyWXAD9fBXbqzCkhlZvbarub5S2UOnACZ5i ySfaOsIm3/6J5X4XmsQMKK+xM1Ab+HWrJZ1FJPfGxUDipYkWKQwbYvbYMUcJbMe9 UB2WTe3HpHAaTwJpVso3o7Tkcx0JjTgWAaEO1Wjj6bbsurllGJbZQ== X-ME-Sender: Received: from localhost (unknown [37.139.31.238]) by mail.messagingengine.com (Postfix) with ESMTPA id E4CA17E12E; Wed, 14 Mar 2018 23:08:40 -0400 (EDT) From: Simon Gaiser To: xen-devel@lists.xenproject.org Cc: Simon Gaiser , Boris Ostrovsky , Juergen Gross , linux-kernel@vger.kernel.org Subject: [PATCH] xen: xenbus_dev_frontend: Really return response string Date: Thu, 15 Mar 2018 04:08:03 +0100 Message-Id: <20180315030803.27781-1-simon@invisiblethingslab.com> X-Mailer: git-send-email 2.16.2 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org xenbus_command_reply() did not actually copy the response string and leaked stack content instead. Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc") Signed-off-by: Simon Gaiser --- PS: AFAICS this is not a security issue since /dev/xen/xenbus is normally only accessible by root and giving xenstore access to a less trusted entity probably has a bunch of other unintended consequences. drivers/xen/xenbus/xenbus_dev_frontend.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c index a493e99bed21..845a70fa7f79 100644 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -403,7 +403,7 @@ static int xenbus_command_reply(struct xenbus_file_priv *u, { struct { struct xsd_sockmsg hdr; - const char body[16]; + char body[16]; } msg; int rc; @@ -412,6 +412,7 @@ static int xenbus_command_reply(struct xenbus_file_priv *u, msg.hdr.len = strlen(reply) + 1; if (msg.hdr.len > sizeof(msg.body)) return -E2BIG; + memcpy(&msg.body, reply, msg.hdr.len); mutex_lock(&u->reply_mutex); rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len); -- 2.16.2