On Tue, Feb 14, 2023 at 6:33 PM Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> When calling the KVM_GET_DEBUGREGS ioctl, on some configurations, there
> might be some unitialized portions of the kvm_debugregs structure that
> could be copied to userspace. Prevent this as is done in the other kvm
> ioctls, by setting the whole structure to 0 before copying anything into
> it.
>
> Bonus is that this reduces the lines of code as the explicit flag
> setting and reserved space zeroing out can be removed.
>
> Cc: Sean Christopherson <seanjc@xxxxxxxxxx>
> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> Cc: Borislav Petkov <bp@xxxxxxxxx>
> Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
> Cc: <x86@xxxxxxxxxx>
> Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Reported-by: Xingyuan Mo <hdthky0@xxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> arch/x86/kvm/x86.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index da4bbd043a7b..50a95c8082fa 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -5254,12 +5254,11 @@ static void kvm_vcpu_ioctl_x86_get_debugregs(struct kvm_vcpu *vcpu,
> {
> unsigned long val;
>
> + memset(dbgregs, 0, sizeof(*dbgregs));
> memcpy(dbgregs->db, vcpu->arch.db, sizeof(vcpu->arch.db));
> kvm_get_dr(vcpu, 6, &val);
> dbgregs->dr6 = val;
> dbgregs->dr7 = vcpu->arch.dr7;
> - dbgregs->flags = 0;
> - memset(&dbgregs->reserved, 0, sizeof(dbgregs->reserved));
> }
>
> static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
> --
> 2.39.1
>
Tested-by: Xingyuan Mo <hdthky0@xxxxxxxxx>
