arm/arm64: KVM: Feed initialized memory to MMIO accesses

commit 1d6a821277aaa0cdd666278aaff93298df313d41 upstream. On an MMIO access, we always copy the on-stack buffer info the shared "run" structure, even if this is a read access. This ends up leaking up to 8 bytes of uninitialized memory into userspace, depending on the size of the access. An obvious fix for this one is to only perform the copy if this is an actual write. Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Marc Zyngier <marc.zyngier@arm.com> 2016-02-15 17:04:04 +0000
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-03-23 08:44:20 +0100
commit: be96dcc315c75f371774739a34c43c213f177c80 (patch)
tree: f2e9cc1aab8f25f03e112293bcfaff8b8ac09523 /arch
parent: 37131ae9135c048494f1424dea064488ac1ffd04 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c
index 885cd0e0015b..0b9d152b38c8 100644
--- a/arch/arm/kvm/mmio.c
+++ b/arch/arm/kvm/mmio.c
@@ -207,7 +207,8 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
 	run->mmio.is_write	= is_write;
 	run->mmio.phys_addr	= fault_ipa;
 	run->mmio.len		= len;
-	memcpy(run->mmio.data, data_buf, len);
+	if (is_write)
+		memcpy(run->mmio.data, data_buf, len);
 
 	if (!ret) {
 		/* We handled the access successfully in the kernel. */
author	Marc Zyngier <marc.zyngier@arm.com>	2016-02-15 17:04:04 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-03-23 08:44:20 +0100
commit	be96dcc315c75f371774739a34c43c213f177c80 (patch)
tree	f2e9cc1aab8f25f03e112293bcfaff8b8ac09523 /arch
parent	37131ae9135c048494f1424dea064488ac1ffd04 (diff)