On 07/11/18 23:43, Liran Alon wrote:
> kvm_pv_clock_pairing() allocates local var
> "struct kvm_clock_pairing clock_pairing" on stack and initializes
> all it's fields besides padding (clock_pairing.pad[]).
>
> Because clock_pairing var is written completely (including padding)
> to guest memory, failure to init struct padding results in kernel
> info-leak.
>
> Fix the issue by making sure to also init the padding with zeroes.
>
> Fixes: 55dd00a73a51 ("KVM: x86: add KVM_HC_CLOCK_PAIRING hypercall")
>
> Reported-by: syzbot+a8ef68d71211ba264f56@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reviewed-by: Mark Kanda <mark.kanda@xxxxxxxxxx>
> Signed-off-by: Liran Alon <liran.alon@xxxxxxxxxx>
> ---
> arch/x86/kvm/x86.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 6095c8431b11..9db4fb6a372c 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -7034,6 +7034,7 @@ static int kvm_pv_clock_pairing(struct kvm_vcpu *vcpu, gpa_t paddr,
> clock_pairing.nsec = ts.tv_nsec;
> clock_pairing.tsc = kvm_read_l1_tsc(vcpu, cycle);
> clock_pairing.flags = 0;
> + memset(&clock_pairing.pad, 0, sizeof(clock_pairing.pad));
>
> ret = 0;
> if (kvm_write_guest(vcpu->kvm, paddr, &clock_pairing,
>
Queued, thanks.
Paolo
