Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp583675img; Fri, 22 Mar 2019 04:32:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqxBasv/Xc9aNfp25FkmU6Lff8W8pzNnPkhp1KWSSna571N/uNp7J6sb1Y40mIU/rgs/EbY/ X-Received: by 2002:a17:902:586:: with SMTP id f6mr8835838plf.68.1553254360394; Fri, 22 Mar 2019 04:32:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553254360; cv=none; d=google.com; s=arc-20160816; b=lAfhwwIH44t0RuqaWmg6lS9A86fb3Z+xgrQKy5xXtebe5prfzSmnlIca4kjmpkTwAT wZWLJJStKdjRh2wct06pqKf8488Bqlr2ZyMMQIamfxAdJ9Oib41KoCzJvSiljzVNezlS 0cNRs7pyPl3bjVeDgWmikzgl4XgSRADSXgRHixmOTOFw6Jr5ul2E+heS+SrNAnFx9RVz /CF9QsHN01TIsrvb+/IkA5fCA68M/W6MSTdx7ZsjVgFxKFc4dh2o/hb+HD4Ia+qEkA8M 7TEuAqXEyH/jI70bZf918ars9xyAGVnZ8SnL7c0F5H6qJObodZbbYrwwEfu7+cfhqw29 S3TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=UYYw72ExS0tqllza4g/yhWsbZjX9UaPXzcyqHHvtWQ4=; b=FbDHb6l52028GxlPPDNCZTgpt8oAvfwa3a7pLlCRbIqQTCas1Fiqiz0NDlDEIBV5MF IPRufpOfMAX4pdejYhS5tSo1EkCJupOdsBjUQeyJA70AL1CbpdPQRhMS5LbcQAU3hIDp glNdLciIGS/PWn0+wMHItljkme1RqBEeqE+Qoi9BRp++2NZGXr/g+gzHC6OlUEu06MG7 hh/d0vT4aFrplTo+Bbn5qPD7R+jIdlVIKF+TDCDFxagidBfKAZu319WyHudZbB0E+mYj mf63rChpTRGsrp7ZxPZEKH0MdwnBtU1avgv+P0tffHs4mHu8m3u4gG1iwn/oAy4/6M0B HX9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZaUfERBe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h10si6227917pgs.573.2019.03.22.04.32.25; Fri, 22 Mar 2019 04:32:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZaUfERBe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729914AbfCVLaK (ORCPT + 99 others); Fri, 22 Mar 2019 07:30:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:58078 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729888AbfCVLaI (ORCPT ); Fri, 22 Mar 2019 07:30:08 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 69EF520449; Fri, 22 Mar 2019 11:30:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553254207; bh=3bGhywEGhiChXQyWHIibE+Wj8YlRtUwJa21gefGreGc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZaUfERBe8bsTwoomCv9GAetsBAr4GWykwVZSx93drUZexsvbFf5J4WtNWKWHqhF+j lXONWg2zufmaOkK5COqA3KFa2bdisJJE7m2mzqcmlKNQr9cLaUa4XzF4OjVXsdJrRG HCYDufeiRpWfStvHIt2M8acWlzV/ApzsQm1kPzJ8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Christoffer Dall , Marc Zyngier Subject: [PATCH 4.4 049/230] arm/arm64: KVM: Feed initialized memory to MMIO accesses Date: Fri, 22 Mar 2019 12:13:07 +0100 Message-Id: <20190322111240.146468386@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111236.796964179@linuxfoundation.org> References: <20190322111236.796964179@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Marc Zyngier commit 1d6a821277aaa0cdd666278aaff93298df313d41 upstream. On an MMIO access, we always copy the on-stack buffer info the shared "run" structure, even if this is a read access. This ends up leaking up to 8 bytes of uninitialized memory into userspace, depending on the size of the access. An obvious fix for this one is to only perform the copy if this is an actual write. Reviewed-by: Christoffer Dall Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman --- arch/arm/kvm/mmio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/arch/arm/kvm/mmio.c +++ b/arch/arm/kvm/mmio.c @@ -207,7 +207,8 @@ int io_mem_abort(struct kvm_vcpu *vcpu, run->mmio.is_write = is_write; run->mmio.phys_addr = fault_ipa; run->mmio.len = len; - memcpy(run->mmio.data, data_buf, len); + if (is_write) + memcpy(run->mmio.data, data_buf, len); if (!ret) { /* We handled the access successfully in the kernel. */