libxl: Use zero-ed memory for PVH acpi tables

xl/libxl memory is leaking into a PVH guest through uninitialized
portions of the ACPI tables.

Use libxl_zalloc() to obtain zero-ed memory to avoid this issue.

This is XSA-464 / CVE-2024-45819.

Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Fixes: 14c0d328da2b ("libxl/acpi: Build ACPI tables for HVMlite guests")
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/tools/libs/light/libxl_x86_acpi.c b/tools/libs/light/libxl_x86_acpi.c
index 5cf261bd6794de6e80549a7d81231adb2603cd40..2574ce25531812d1385e6036baafc0837655bcc0 100644 (file)
--- a/tools/libs/light/libxl_x86_acpi.c
+++ b/tools/libs/light/libxl_x86_acpi.c
@@ -176,10 +176,11 @@ int libxl__dom_load_acpi(libxl__gc *gc,
         goto out;
     }
 
-    config.rsdp = (unsigned long)libxl__malloc(gc, libxl_ctxt.page_size);
-    config.infop = (unsigned long)libxl__malloc(gc, libxl_ctxt.page_size);
+    /* These are all copied into guest memory, so use zero-ed memory. */
+    config.rsdp = (unsigned long)libxl__zalloc(gc, libxl_ctxt.page_size);
+    config.infop = (unsigned long)libxl__zalloc(gc, libxl_ctxt.page_size);
     /* Pages to hold ACPI tables */
-    libxl_ctxt.buf = libxl__malloc(gc, NUM_ACPI_PAGES *
+    libxl_ctxt.buf = libxl__zalloc(gc, NUM_ACPI_PAGES *
                                    libxl_ctxt.page_size);
 
     /*