Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3759257imm;
        Mon, 18 Jun 2018 03:40:14 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJoLvGSiUW09pfZMx7QL3emvLjlXu+JmZI3oskK/pZN8HbeH9jiEwfxESYOEdR+7AFwIoSd
X-Received: by 2002:a17:902:5991:: with SMTP id p17-v6mr13246842pli.191.1529318414624;
        Mon, 18 Jun 2018 03:40:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529318414; cv=none;
        d=google.com; s=arc-20160816;
        b=On+Pw4reJg5cWtL3tpeK9KvwVCoy9Nm0M8gEhYrCyG/cCI40W5rRtx5BUj65mOZujy
         OVRjtL06OKnYbX1DPdj/YQ9zoUhMY2vyh08MCXpRxmEuV8ZjeQ+ybFByph7ntZnXJJi0
         OMm0XlwgwUt/NIk/hJTWqWU2Z08edzIeZCd0Ilz/MW4Uc4BVW9dgtmVgKBTF5ElHdvtR
         k9gJ8gY9KUjuVfKQ44NwSvdn56aQZBTZplZAjPSTWcOscODBMI5um7z/TXdI6yL6946v
         G9Bh+YdL4e5qvXwWHPp0o9umcu9xmCLOa4vo9JpnFQmEb2rM6lRkNvamOppFz0rjISNN
         Y7sA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=J+DnW21MncZbWzuvbnAPHod+hTdnj0VNbDMLyMsOXjY=;
        b=NBA3OJu3yj3H5WXwhHlmj1Ga27yUVI/8DsDFI4YrdTBgoKcnZsBAmpPeeMtuINWlxj
         8ORxgJ+HcY9fX8WLSyIDMrsuIszJHIWAonIVNZBTNmlvIYB9BLuLqj/HHeBG0ua+TSBE
         XlIe2SJIi/PnU7DUebqH+vutZ6yDEsZpWwonIo1yjD05LhQsS3Z5De1DCUbEvkpauY5L
         Kimil46vCytUb5KJBytR/yA3uVEpGjtSX8LmbK3yBeqazXuco25479/gRu6Q3y57oiTU
         58GR17qI4jTg6YgC+bnjLSosbRDE8lFRUK8esdR/z2bPYrZaHGKDzidOmwGubN+tHpjk
         X7/g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 81-v6si13598839pfz.334.2018.06.18.03.40.00;
        Mon, 18 Jun 2018 03:40:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934412AbeFRIQb (ORCPT <rfc822;chenl.lei@gmail.com> + 99 others);
        Mon, 18 Jun 2018 04:16:31 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:53040 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934385AbeFRIQ2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Jun 2018 04:16:28 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 378BBC7A;
        Mon, 18 Jun 2018 08:16:27 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Simon Gaiser <simon@invisiblethingslab.com>,
        Juergen Gross <jgross@suse.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.16 037/279] xen: xenbus_dev_frontend: Really return response string
Date:   Mon, 18 Jun 2018 10:10:22 +0200
Message-Id: <20180618080610.343312695@linuxfoundation.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180618080608.851973560@linuxfoundation.org>
References: <20180618080608.851973560@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Simon Gaiser <simon@invisiblethingslab.com>

[ Upstream commit ebf04f331fa15a966262341a7dc6b1a0efd633e4 ]

xenbus_command_reply() did not actually copy the response string and
leaked stack content instead.

Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc")
Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/xen/xenbus/xenbus_dev_frontend.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -403,7 +403,7 @@ static int xenbus_command_reply(struct x
 {
 	struct {
 		struct xsd_sockmsg hdr;
-		const char body[16];
+		char body[16];
 	} msg;
 	int rc;
 
@@ -412,6 +412,7 @@ static int xenbus_command_reply(struct x
 	msg.hdr.len = strlen(reply) + 1;
 	if (msg.hdr.len > sizeof(msg.body))
 		return -E2BIG;
+	memcpy(&msg.body, reply, msg.hdr.len);
 
 	mutex_lock(&u->reply_mutex);
 	rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len);