From bbf1b2bde00075648c96065ba0dc390150c4808f Mon Sep 17 00:00:00 2001 From: Aaron Adams Date: Thu, 5 Mar 2015 13:51:53 +0100 Subject: [PATCH] pre-fill structures for certain HYPERVISOR_xen_version sub-ops ... avoiding to pass hypervisor stack contents back to the caller through space unused by the respective strings. This is CVE-2015-2045 / XSA-122. Signed-off-by: Aaron Adams Acked-by: Jan Beulich Acked-by: Ian Campbell master commit: fe2e079f642effb3d24a6e1a7096ef26e691d93e master date: 2015-03-05 13:35:54 +0100 --- xen/common/kernel.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/xen/common/kernel.c b/xen/common/kernel.c index c915bbcb65..fe3ccb5cba 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -216,6 +216,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE(void) arg) case XENVER_extraversion: { xen_extraversion_t extraversion; + + memset(extraversion, 0, sizeof(extraversion)); safe_strcpy(extraversion, xen_extra_version()); if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) ) return -EFAULT; @@ -225,6 +227,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE(void) arg) case XENVER_compile_info: { struct xen_compile_info info; + + memset(&info, 0, sizeof(info)); safe_strcpy(info.compiler, xen_compiler()); safe_strcpy(info.compile_by, xen_compile_by()); safe_strcpy(info.compile_domain, xen_compile_domain()); @@ -260,6 +264,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE(void) arg) case XENVER_changeset: { xen_changeset_info_t chgset; + + memset(chgset, 0, sizeof(chgset)); safe_strcpy(chgset, xen_changeset()); if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) ) return -EFAULT; -- 2.39.5