Received: by 2002:a05:7412:da14:b0:e2:908c:2ebd with SMTP id fe20csp1773296rdb; Mon, 9 Oct 2023 02:22:24 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGlcae3zEdmr3U4YmktkIbju/dHi9A5pMjK5stvslCzQULYVfzphW5DbGtDZdtrGMCLlYci X-Received: by 2002:a05:6e02:216e:b0:352:a405:fc1c with SMTP id s14-20020a056e02216e00b00352a405fc1cmr19194607ilv.17.1696843344392; Mon, 09 Oct 2023 02:22:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1696843344; cv=pass; d=google.com; s=arc-20160816; b=rTPX8/lZdsMzdIu7tzDEDDy6efKTFpxAyVZl2JpQle7+3WWap5irmI4+9VoB+eBq60 Q6zAS1Kvse5F2bl1FKpfdG8NyvYKRi6WqzZQfmS1BTsYFqcc0suBjr8SREyqnuyOmPS8 lUVe1qY7RPd0eKXbzCZ85o6AESW2LHslcKbc8vOPXkh4Jmu5QjeHlb4JSeOjPuMBmmgU zs0scAjdrym6Nmu78iqhsEUgZ8rohQKQts6EnHyAH/a3zTMagkUka96I1aLeAF3pmoNg tO7BNMciKsivFlTPvIkTcBiZ+RIf1drUiMVSkzzBHSIdEmAm4puQqopXRkyjS5OAP0Uf z/sg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=xPvahczNfvcmActLmgOBqvbEW/CePOBHq9GcQJYj4ME=; fh=g+geecyUIkUFPaOGglMnGH3rrbeASKND2UvJeUXavqM=; b=aOXk+akP2rSf8siB4mWfKEXpx9rO46+Bdc4pB01WCc1ERHFMfY/Re82IeVAVSj5/pp SX6H1hLju4nPyC/8LFjRSxA5eWB7yv+UQ69fw6ZndhZ1qwEJBxhtWT5phcnhx07Eunno v6krEO+iNX+rqTFDXRI1pMU3XQWTaRQm2w8+PVK1wz1Yq2agtymTzxKhGMtxl8qpqXAR f4FVg4UtPUcPkAA8adfGF5L0lTqobyKxpPDMd9ZSR1RDwxZC6XdIXHcbNAphqTpG0H3B MGvgrkmziLQ8f6QFDrHAOwWHyxZCxddYzreC2++TS/PeBQ/PLX6scaO20LVdtEkhQuHN 4WlQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@cyberus-technology.de header.s=selector2 header.b=kjAR2CQn; arc=pass (i=1 spf=pass spfdomain=cyberus-technology.de dkim=pass dkdomain=cyberus-technology.de dmarc=pass fromdomain=cyberus-technology.de); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cyberus-technology.de Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id be3-20020a656e43000000b0058555ea0a21si529109pgb.571.2023.10.09.02.22.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 02:22:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@cyberus-technology.de header.s=selector2 header.b=kjAR2CQn; arc=pass (i=1 spf=pass spfdomain=cyberus-technology.de dkim=pass dkdomain=cyberus-technology.de dmarc=pass fromdomain=cyberus-technology.de); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cyberus-technology.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id F01FB80212FA; Mon, 9 Oct 2023 02:22:21 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345718AbjJIJWF (ORCPT + 99 others); Mon, 9 Oct 2023 05:22:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345692AbjJIJWD (ORCPT ); Mon, 9 Oct 2023 05:22:03 -0400 Received: from DEU01-BE0-obe.outbound.protection.outlook.com (mail-be0deu01on2080.outbound.protection.outlook.com [40.107.127.80]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1AF6A2; Mon, 9 Oct 2023 02:22:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WY3dW2XYEST8sOIiz9X2EhwIpiaMac1eIOb3UihA9bkXj0lilCQZPMvUtJ511pyCSTILV1YL9aWsj9fbnfRnaSr31RGU2f7Sr+wO2rx92gunSr3/3BXj6VHw19mu1sQxM5D3yEN1XqaQPjXnn5XWeY0JWb0v0RCczrnCnB/or9l6YWjfVsJDphWaao9Q6hiVDcCCy8Nk7C+cnXMDrLnaYX4CJKjv6Vo//NbMwU7IrCVIwQyAEVdkr7A0c24ilm3uoAVDzpxu9cV8a0Jq1k3eGO38Iv78HDaCStvT4skqUst7JorhvAAjJ1Bt75MY3bUCM8VxMURDoQ8H65gtyyAJ8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xPvahczNfvcmActLmgOBqvbEW/CePOBHq9GcQJYj4ME=; b=RbLOlpOrJoEkdzuIcNwqK/FHdz+/mik9aatplLxQivUxn2VCHzvWGhbpGZHxQv8k5yW7kIyWSKtrLVJPm+gyLiHJjbFRo5zb3tCqMaZdIpZ9WyLARjDIwDbR2+CFDCaKkU9day1uy461Eh31vtE1vD9bx7NTkG4dWnPe4WOjrILPw6KKPzGc0/CQSLPPogT/XJNoKetLqfed0XYuXtY6ttxOB2hrXBNyiDGdbiB/cQfR9+lZho58CixF7Oy/iKyhT427voQLqBtpWk/t3jriqSPIQik/x8pEClVPEbZYABX9jndJkK17HPIOWPczysDlnNyLbXG9d0/8+HskWsO8UQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cyberus-technology.de; dmarc=pass action=none header.from=cyberus-technology.de; dkim=pass header.d=cyberus-technology.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyberus-technology.de; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xPvahczNfvcmActLmgOBqvbEW/CePOBHq9GcQJYj4ME=; b=kjAR2CQnXPve5ighJZ2Qzti4fV4Uub82qN6zbyMTD1SqWwVNf6gIPn6aFKIpyf365nVA6XDWAUETfC6igv4JBiUkRWq3WYDBuBlZA5BuYYjfcPo80QtRFgmzyPGpFft0FnpIP1hjdDzgZ93mVdKFi9eKolp4OZ5kR2/2mPhv8A2hE2Kp5lLn5cP9ZN+glhI1owa59ZCJCr6ywHEJjNujwJ22N14Jc/0PaXM7USf8QDnWbnWbe/lrvsUM+uvkD68Ylg3seTb3+3EGYsSZ/DQ2Ck8NITz1Uvjzeq/J9pgSA0MJ2/kmiqK0JL3egzT3K5BC1p0myollhdmd7LEjj7+T/A== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cyberus-technology.de; Received: from FR3P281MB1567.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:7a::10) by FR0P281MB1983.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:29::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.37; Mon, 9 Oct 2023 09:21:58 +0000 Received: from FR3P281MB1567.DEUP281.PROD.OUTLOOK.COM ([fe80::739c:5a5b:9c94:e5ec]) by FR3P281MB1567.DEUP281.PROD.OUTLOOK.COM ([fe80::739c:5a5b:9c94:e5ec%7]) with mapi id 15.20.6863.032; Mon, 9 Oct 2023 09:21:58 +0000 From: Julian Stecklina To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Cc: Julian Stecklina , kvm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/2] KVM: x86: Fix partially uninitialized integer in emulate_pop Date: Mon, 9 Oct 2023 11:20:53 +0200 Message-Id: <20231009092054.556935-1-julian.stecklina@cyberus-technology.de> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20231004133827.107-1-julian.stecklina@cyberus-technology.de> References: <20231004133827.107-1-julian.stecklina@cyberus-technology.de> Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: PA7P264CA0404.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:39b::8) To FR3P281MB1567.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:7a::10) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: FR3P281MB1567:EE_|FR0P281MB1983:EE_ X-MS-Office365-Filtering-Correlation-Id: f6f3688e-01f8-4c6c-176e-08dbc8a92fc2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: I7RYUAR8FYWag2Lo13Eoa8joZCUER5BawlTcOoZNOigZZs1Oy9v8DiBAB+JBJkHLpkQam9IxRwGX1uvQhl2hycNf3R8Jbn8NNPYDjPbIKmpNtmKoI6irpP62nYD+B8H2G6fz2o0WpAXwsli7yNqzkRpE3+xePIiwBvZBKkRl99YjgUxYmBSGB2uhv95C/GINv8GjL0n58TkEVE1Psx9QUQRas9ltzi1kcvGlY+ddNX022dkqw0O25EpVC/vdbS4K/j8S/IyUekC37tYH+oLTvoz+nBLjE2WDnTwmopleSCVC66zAc/k2wDmM8qet6XmCQeWG1RvDPwsgzaSxXPBhj4upTkNOUWVIUgDGMaa5Tb/P7DnPZjL22C7VXEwykxaUyNfyGBZND3sAzpDjJRS+gO8X5MUTRnVVyYmF3Oegm8rQxy3OOaTKBxiHbJfIPkAy9gjHelgBTcCk8G6c9KW9y1v9cWrjdFxTk5YJbYqqdopqO6EfMkcN2P6xOT11lq0JjP1MpV2QkmYKy3PoS0GrKYHGfev8o7PI8INm8aSkfGACR0LnOVSpw3gADJgh04hx8FvYZeVFOMlDA1zACdnYiP27bUVROAlCy5kRKH+5t+64pT7iazoYFvjhZ2OtDdu/nt2z/sGsnBVqxxXLf5IKCnLooSWsRbebos04pkbptyPse2we4QlbVABMfV1IZR0w X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:FR3P281MB1567.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(366004)(396003)(39830400003)(376002)(136003)(346002)(230922051799003)(1800799009)(451199024)(186009)(64100799003)(86362001)(38100700002)(36756003)(2906002)(6512007)(478600001)(6486002)(44832011)(5660300002)(41300700001)(8936002)(4326008)(8676002)(6666004)(52116002)(6506007)(83380400001)(2616005)(1076003)(66556008)(66476007)(7416002)(110136005)(316002)(66946007)(26005)(38350700002)(341764005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?JtX4E3lBZZtvAYey3T5aWUgis7u1XcDGTX+qxESgsLXcYCG2DVy7tjwueedO?= =?us-ascii?Q?fFLd4ecC154gEU0lX38L0zBX2Ka1AoIFEdjxUy+1zEhrBj0h8q0eQdTLJ9rk?= =?us-ascii?Q?9U2Eah6vBWq2Y/zsyv1WrVQ5uF1ULV6KK8j1xrVNAtoVIJd0PdDbOituUqUf?= =?us-ascii?Q?KS9qFmIFTob2Zgmzx1oQ0o+2eWfP8FxvbjyG55uWURHnSy02TsDE/XrBadef?= =?us-ascii?Q?ZzDIujocwI1Qw3p8LHv8qsAQ8PvFB02qzYToe+7k1ST6ZOhuTccZSl/rxWSi?= =?us-ascii?Q?RD79CzK5mgvkMpl4RF28tP7YWhshE0GLfyuaog7mk4E1ewAGYLYcAVMGUubU?= =?us-ascii?Q?6kegVaZeO8d4egI13Cn8FDt1CyaJrbFysJo+I2kYE+H8f4MXTnrNYfN/tyrA?= =?us-ascii?Q?Tvf0n92p54a6BUltjjimDOUWwxfGk2srUxZFJLoI3UN7YE7D6KONe8mDd8Wm?= =?us-ascii?Q?agoZcdXfQyzFroRyIdF2nbJG2QJUEtu/WTeKGeDPBTNua7hMzo93PcePFH9u?= =?us-ascii?Q?cyKc1YkcJGTKBTM+4+/VSQBzT09dtvSufNKD7BVXHR8xCRZ7wF3d1ahN4ptc?= =?us-ascii?Q?EoKdf1SlOprXX4Ec/OaQcq1/+gFSYf7MZX/0zEJpXdN4/1SUMztrDfoWyQJ7?= =?us-ascii?Q?bOjwByrd+8g8R4yuz2/GdyvDqAdO+LlrtgtSvK4/xdB78pTo4P1TA3t0cHN/?= =?us-ascii?Q?wCJcgrVDL/FZWaPz/rDqmpp7QVT4rMgyKhSHKyz5uaGmKu8Eqc66Lf8Fwptj?= =?us-ascii?Q?Fc2R8hAEz6ejZzUkLIZUe3FGfjPDHBX5qu1dKPjvlwBauw6EPOj1CesHKJXx?= =?us-ascii?Q?Pa1W7x7p6tph0VUs2hbjgtsae7vktW6LwGxX+v7iXQLgFBk0eKb+tKlRlePs?= =?us-ascii?Q?lL6ParUvO2V0Iw0bX9KrOYHww0keriTYnpJ8qCjUSXPtHRIzwchT2Q2+XnSJ?= =?us-ascii?Q?dH/rTE/T24dhFIdBjzX7hX5em7BVipp8VIcHBU1BdWgfqKbkp2UDG6xqZCd9?= =?us-ascii?Q?VpDiIlgiVJ9udRuAVCF+Cdg4swsyhaHzFXp6Ifso7KiOcC2Cu3UYMabFZSkq?= =?us-ascii?Q?bWSD8bxNC/ls3aH7YWfaio8q5Bz92EuQYPbBRRYbjP8FT0zsh17k2XPUxuFx?= =?us-ascii?Q?5F5LS+nu9nw4nQdtXY9nHcNKzs0zJgKdPIC/fYhaSufoAFAPrK04BqulFd+s?= =?us-ascii?Q?u5qcipm9eOuRCt63GJjk3fszu9pE6Hf8/bT9aDN2PQKVOXXfUglvLYNkC4DN?= =?us-ascii?Q?B9zEaFsnXNv7VlFM3iDGkSZmBzCyiCc0YQ5AxHmTttwfw1svxwiMLljxbjah?= =?us-ascii?Q?w+hlauXHCKOGf5kEkjKQ14TeZmXvggk6EypYqP1EWRKf64Zw1t9vZyuyC1z/?= =?us-ascii?Q?a1g7BRxzYQIkMDf964TfbPBJcWcCdnJPUGj3LAiU1alqfoQuHfqbtRlwAC00?= =?us-ascii?Q?hNuz/TpaIWJGAzsNEvdRocI2yScco/OpBhcEZR1eHIYj4GKnsvF0ERk0qhxo?= =?us-ascii?Q?w73Y5LT2mbr/Guj7JvCGBEDf1fwqQ2QOEHe2VN72twnm2TY8OH4WNYABleF5?= =?us-ascii?Q?zegMoTEEA4FUQbwzje44+gEFWuG0IQZ3/Q34omIOua6o7/WdwJQlvz537+4l?= =?us-ascii?Q?a1mZr310JboriVI7roc/BqQ=3D?= X-OriginatorOrg: cyberus-technology.de X-MS-Exchange-CrossTenant-Network-Message-Id: f6f3688e-01f8-4c6c-176e-08dbc8a92fc2 X-MS-Exchange-CrossTenant-AuthSource: FR3P281MB1567.DEUP281.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Oct 2023 09:21:58.0757 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f4e0f4e0-9d68-4bd6-a95b-0cba36dbac2e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: F+xVXPRHQSvemYDgoFRPqMHzgpR0hBwiSiFk3MA+2q32pgHMzyf8tjZx2VOUvHXT+Q/nRxYgvN+K5sWgZY5IX9ku2+13N9xMySDP7QI76v005TdmZenqxt9/MSoePv5S X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR0P281MB1983 X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Mon, 09 Oct 2023 02:22:22 -0700 (PDT) X-Spam-Level: ** Most code gives a pointer to an uninitialized unsigned long as dest in emulate_pop. len is usually the word width of the guest. If the guest runs in 16-bit or 32-bit modes, len will not cover the whole unsigned long and we end up with uninitialized data in dest. Looking through the callers of this function, the issue seems harmless, but given that none of this is performance critical, there should be no issue with just always initializing the whole value. Even though popa is not reachable in 64-bit mode, I've changed its val variable to unsigned long too to avoid sad copy'n'paste bugs. Signed-off-by: Julian Stecklina --- arch/x86/kvm/emulate.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 2673cd5c46cb..86d0ee9f1a6a 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -1862,7 +1862,8 @@ static int emulate_popf(struct x86_emulate_ctxt *ctxt, void *dest, int len) { int rc; - unsigned long val, change_mask; + unsigned long val = 0; + unsigned long change_mask; int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT; int cpl = ctxt->ops->cpl(ctxt); @@ -1953,7 +1954,7 @@ static int em_push_sreg(struct x86_emulate_ctxt *ctxt) static int em_pop_sreg(struct x86_emulate_ctxt *ctxt) { int seg = ctxt->src2.val; - unsigned long selector; + unsigned long selector = 0; int rc; rc = emulate_pop(ctxt, &selector, 2); @@ -1999,7 +2000,7 @@ static int em_popa(struct x86_emulate_ctxt *ctxt) { int rc = X86EMUL_CONTINUE; int reg = VCPU_REGS_RDI; - u32 val; + unsigned long val = 0; while (reg >= VCPU_REGS_RAX) { if (reg == VCPU_REGS_RSP) { @@ -2228,7 +2229,7 @@ static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt) static int em_ret(struct x86_emulate_ctxt *ctxt) { int rc; - unsigned long eip; + unsigned long eip = 0; rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); if (rc != X86EMUL_CONTINUE) @@ -2240,7 +2241,8 @@ static int em_ret(struct x86_emulate_ctxt *ctxt) static int em_ret_far(struct x86_emulate_ctxt *ctxt) { int rc; - unsigned long eip, cs; + unsigned long eip = 0; + unsigned long cs = 0; int cpl = ctxt->ops->cpl(ctxt); struct desc_struct new_desc; @@ -3183,7 +3185,7 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt) static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) { int rc; - unsigned long eip; + unsigned long eip = 0; rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); if (rc != X86EMUL_CONTINUE) -- 2.40.1