[Qemu-devel] [PULL 1/3] xen/disk: don't leak stack data via response ring

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Stefano Stabellini <sstabellini@kernel.org>
To: peter.maydell@linaro.org, stefanha@gmail.com
Cc: sstabellini@kernel.org, stefanha@redhat.com,
	anthony.perard@citrix.com, xen-devel@lists.xenproject.org,
	qemu-devel@nongnu.org, Jan Beulich <jbeulich@suse.com>
Subject: [Qemu-devel] [PULL 1/3] xen/disk: don't leak stack data via response ring
Date: Tue, 27 Jun 2017 15:04:41 -0700	[thread overview]
Message-ID: <1498601083-11799-1-git-send-email-sstabellini@kernel.org> (raw)
In-Reply-To: <alpine.DEB.2.10.1706271456310.24648@sstabellini-ThinkPad-X260>

Rather than constructing a local structure instance on the stack, fill
the fields directly on the shared ring, just like other (Linux)
backends do. Build on the fact that all response structure flavors are
actually identical (aside from alignment and padding at the end).

This is XSA-216.

Reported by: Anthony Perard <anthony.perard@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
---
 hw/block/xen_disk.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index 3a22805..9200511 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -769,31 +769,30 @@ static int blk_send_response_one(struct ioreq *ioreq)
     struct XenBlkDev  *blkdev = ioreq->blkdev;
     int               send_notify   = 0;
     int               have_requests = 0;
-    blkif_response_t  resp;
-    void              *dst;
-
-    resp.id        = ioreq->req.id;
-    resp.operation = ioreq->req.operation;
-    resp.status    = ioreq->status;
+    blkif_response_t  *resp;
 
     /* Place on the response ring for the relevant domain. */
     switch (blkdev->protocol) {
     case BLKIF_PROTOCOL_NATIVE:
-        dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt);
+        resp = (blkif_response_t *) RING_GET_RESPONSE(&blkdev->rings.native,
+                                 blkdev->rings.native.rsp_prod_pvt);
         break;
     case BLKIF_PROTOCOL_X86_32:
-        dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
-                                blkdev->rings.x86_32_part.rsp_prod_pvt);
+        resp = (blkif_response_t *) RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
+                                 blkdev->rings.x86_32_part.rsp_prod_pvt);
         break;
     case BLKIF_PROTOCOL_X86_64:
-        dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
-                                blkdev->rings.x86_64_part.rsp_prod_pvt);
+        resp = (blkif_response_t *) RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
+                                 blkdev->rings.x86_64_part.rsp_prod_pvt);
         break;
     default:
-        dst = NULL;
         return 0;
     }
-    memcpy(dst, &resp, sizeof(resp));
+
+    resp->id        = ioreq->req.id;
+    resp->operation = ioreq->req.operation;
+    resp->status    = ioreq->status;
+
     blkdev->rings.common.rsp_prod_pvt++;
 
     RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);
-- 
1.9.1

next prev parent reply	other threads:[~2017-06-27 22:04 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-27 22:04 [Qemu-devel] [PATCH 0/3] please pull xen-20170627-tag Stefano Stabellini
2017-06-27 22:04 ` Stefano Stabellini [this message]
2017-06-27 22:04   ` [Qemu-devel] [PULL 2/3] xen-disk: only advertize feature-persistent if grant copy is not available Stefano Stabellini
2017-06-27 22:04   ` [Qemu-devel] [PULL 3/3] xen-disk: add support for multi-page shared rings Stefano Stabellini
2017-07-27  6:02     ` [Qemu-devel] [Xen-devel] " Olaf Hering
2017-07-27 19:14       ` Stefano Stabellini
2017-09-23 16:05   ` [Qemu-devel] xen/disk: don't leak stack data via response ring Michael Tokarev
2017-09-24  9:18     ` Michael Tokarev
2017-09-25 22:48       ` Stefano Stabellini
2017-06-29 12:12 ` [Qemu-devel] [PATCH 0/3] please pull xen-20170627-tag Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3a22805 dfblob:9200511 )
 OR (
bs:"[Qemu-devel] [PULL 1/3] xen/disk: don't leak stack data via response ring" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1498601083-11799-1-git-send-email-sstabellini@kernel.org \
    --to=sstabellini@kernel.org \
    --cc=anthony.perard@citrix.com \
    --cc=jbeulich@suse.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@gmail.com \
    --cc=stefanha@redhat.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).