queue-4.4/arm-arm64-kvm-feed-initialized-memory-to-mmio-accesses.patch

   1 From 1d6a821277aaa0cdd666278aaff93298df313d41 Mon Sep 17 00:00:00 2001
   2 From: Marc Zyngier <marc.zyngier@arm.com>
   3 Date: Mon, 15 Feb 2016 17:04:04 +0000
   4 Subject: arm/arm64: KVM: Feed initialized memory to MMIO accesses
   5
   6 From: Marc Zyngier <marc.zyngier@arm.com>
   7
   8 commit 1d6a821277aaa0cdd666278aaff93298df313d41 upstream.
   9
  10 On an MMIO access, we always copy the on-stack buffer info
  11 the shared "run" structure, even if this is a read access.
  12 This ends up leaking up to 8 bytes of uninitialized memory
  13 into userspace, depending on the size of the access.
  14
  15 An obvious fix for this one is to only perform the copy if
  16 this is an actual write.
  17
  18 Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
  19 Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
  20 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21
  22 ---
  23  arch/arm/kvm/mmio.c |    3 ++-
  24  1 file changed, 2 insertions(+), 1 deletion(-)
  25
  26 --- a/arch/arm/kvm/mmio.c
  27 +++ b/arch/arm/kvm/mmio.c
  28 @@ -207,7 +207,8 @@ int io_mem_abort(struct kvm_vcpu *vcpu,
  29         run->mmio.is_write      = is_write;
  30         run->mmio.phys_addr     = fault_ipa;
  31         run->mmio.len           = len;
  32 -       memcpy(run->mmio.data, data_buf, len);
  33 +       if (is_write)
  34 +               memcpy(run->mmio.data, data_buf, len);
  35
  36         if (!ret) {
  37                 /* We handled the access successfully in the kernel. */