summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Beulich <jbeulich@suse.com>2015-03-05 13:50:50 +0100
committerJan Beulich <jbeulich@suse.com>2015-03-05 13:50:50 +0100
commit0765915d3a11ebf56d89da58b346c9b85ca3299d (patch)
treea8671936568308b1c70ab82a4438984496f7620c
parent95af3f09eeef089e0100a8518f7ca75206e33c7c (diff)
downloadxen-0765915d3a11ebf56d89da58b346c9b85ca3299d.tar.gz
x86/HVM: return all ones on wrong-sized reads of system device I/O ports
So far the value presented to the guest remained uninitialized. This is CVE-2015-2044 / XSA-121. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> master commit: c9e57594e1ba5da9d705dee9f00aa4e7e925963d master date: 2015-03-05 13:34:54 +0100
Diffstat
-rw-r--r--xen/arch/x86/hvm/i8254.c1
-rw-r--r--xen/arch/x86/hvm/pmtimer.c1
-rw-r--r--xen/arch/x86/hvm/rtc.c3
-rw-r--r--xen/arch/x86/hvm/vpic.c1
4 files changed, 5 insertions, 1 deletions
diff --git a/xen/arch/x86/hvm/i8254.c b/xen/arch/x86/hvm/i8254.c
index c0d6bc29b6..809d09ef6e 100644
--- a/xen/arch/x86/hvm/i8254.c
+++ b/xen/arch/x86/hvm/i8254.c
@@ -478,6 +478,7 @@ static int handle_pit_io(
if ( bytes != 1 )
{
gdprintk(XENLOG_WARNING, "PIT bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
diff --git a/xen/arch/x86/hvm/pmtimer.c b/xen/arch/x86/hvm/pmtimer.c
index 01ae31d38d..6ad2797986 100644
--- a/xen/arch/x86/hvm/pmtimer.c
+++ b/xen/arch/x86/hvm/pmtimer.c
@@ -213,6 +213,7 @@ static int handle_pmt_io(
if ( bytes != 4 )
{
gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
diff --git a/xen/arch/x86/hvm/rtc.c b/xen/arch/x86/hvm/rtc.c
index b994e99ad9..0a648d1d31 100644
--- a/xen/arch/x86/hvm/rtc.c
+++ b/xen/arch/x86/hvm/rtc.c
@@ -619,7 +619,8 @@ static int handle_rtc_io(
if ( bytes != 1 )
{
- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
+ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
diff --git a/xen/arch/x86/hvm/vpic.c b/xen/arch/x86/hvm/vpic.c
index fea3f68f9e..6e4d422cde 100644
--- a/xen/arch/x86/hvm/vpic.c
+++ b/xen/arch/x86/hvm/vpic.c
@@ -324,6 +324,7 @@ static int vpic_intercept_pic_io(
if ( bytes != 1 )
{
gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
+ *val = ~0;
return X86EMUL_OKAY;
}
View Lorry Controller Status