]> xenbits.xensource.com Git - xen.git/commitdiff
projects / xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 95af3f0)
x86/HVM: return all ones on wrong-sized reads of system device I/O ports
authorJan Beulich <jbeulich@suse.com>
Thu, 5 Mar 2015 12:50:50 +0000 (13:50 +0100)
committerJan Beulich <jbeulich@suse.com>
Thu, 5 Mar 2015 12:50:50 +0000 (13:50 +0100)
So far the value presented to the guest remained uninitialized.

This is CVE-2015-2044 / XSA-121.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
master commit: c9e57594e1ba5da9d705dee9f00aa4e7e925963d
master date: 2015-03-05 13:34:54 +0100

xen/arch/x86/hvm/i8254.c patch | blob | blame | history
xen/arch/x86/hvm/pmtimer.c patch | blob | blame | history
xen/arch/x86/hvm/rtc.c patch | blob | blame | history
xen/arch/x86/hvm/vpic.c patch | blob | blame | history

diff --git a/xen/arch/x86/hvm/i8254.c b/xen/arch/x86/hvm/i8254.c
index c0d6bc29b6ca985d8bb5d6e1339c10149f5a0b1a..809d09ef6e055243ac29f822db565e6c3fe4079b 100644 (file)
--- a/xen/arch/x86/hvm/i8254.c
+++ b/xen/arch/x86/hvm/i8254.c
@@ -478,6 +478,7 @@ static int handle_pit_io(
     if ( bytes != 1 )
     {
         gdprintk(XENLOG_WARNING, "PIT bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
 
diff --git a/xen/arch/x86/hvm/pmtimer.c b/xen/arch/x86/hvm/pmtimer.c
index 01ae31d38dde1b9b6e321bb6cf58cd78d559d1a4..6ad279798654539941bcf73eb09656970fbfb2c7 100644 (file)
--- a/xen/arch/x86/hvm/pmtimer.c
+++ b/xen/arch/x86/hvm/pmtimer.c
@@ -213,6 +213,7 @@ static int handle_pmt_io(
     if ( bytes != 4 )
     {
         gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
     
diff --git a/xen/arch/x86/hvm/rtc.c b/xen/arch/x86/hvm/rtc.c
index b994e99ad94e36f5dfb6a774f7e2748226c50956..0a648d1d317ebfcb9c5752545874b2a68b18171d 100644 (file)
--- a/xen/arch/x86/hvm/rtc.c
+++ b/xen/arch/x86/hvm/rtc.c
@@ -619,7 +619,8 @@ static int handle_rtc_io(
 
     if ( bytes != 1 )
     {
-        gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
+        gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
     
diff --git a/xen/arch/x86/hvm/vpic.c b/xen/arch/x86/hvm/vpic.c
index fea3f68f9ea6de944ee6159898e5484be4b481e7..6e4d422cdec7d964e36234f956e1dc3da447b257 100644 (file)
--- a/xen/arch/x86/hvm/vpic.c
+++ b/xen/arch/x86/hvm/vpic.c
@@ -324,6 +324,7 @@ static int vpic_intercept_pic_io(
     if ( bytes != 1 )
     {
         gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
+        *val = ~0;
         return X86EMUL_OKAY;
     }
 
Xen (staging and unstable) mirror