RE: [PATCH] drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl

"Li, Fei1" <fei1.li@xxxxxxxxx> · Thu, 6 Feb 2025 01:31:48 +0000



> -----Original Message-----
> From: Haoyu Li <lihaoyu499@xxxxxxxxx>
> Sent: Thursday, January 30, 2025 7:58 PM
> To: Li, Fei1 <fei1.li@xxxxxxxxx>; Shuo Liu <shuo.a.liu@xxxxxxxxx>; Chatre,
> Reinette <reinette.chatre@xxxxxxxxx>; Zhi Wang <zhi.a.wang@xxxxxxxxx>;
> Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: linux-kernel@xxxxxxxxxxxxxxx; chenyuan0y@xxxxxxxxx; Haoyu Li
> <lihaoyu499@xxxxxxxxx>; stable@xxxxxxxxxxxxxxx
> Subject: [PATCH] drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in
> pmcmd_ioctl
> 
> In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are
> initialized by "hcall_get_cpu_state", which are then copied to user space. The
> initializer is indeed implemented in "acrn_hypercall2"
> (arch/x86/include/asm/acrn.h). There is a risk of information leakage due to
> uninitialized bytes.
> 
> Fixes: 3d679d5aec64 ("virt: acrn: Introduce interfaces to query C-states and P-
> states allowed by hypervisor")
> Signed-off-by: Haoyu Li <lihaoyu499@xxxxxxxxx>
Acked-by: Fei Li <fei1.li@xxxxxxxxx>
Thanks.
> Cc: stable@xxxxxxxxxxxxxxx
> ---
>  drivers/virt/acrn/hsm.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/virt/acrn/hsm.c b/drivers/virt/acrn/hsm.c index
> c24036c4e51e..e4e196abdaac 100644
> --- a/drivers/virt/acrn/hsm.c
> +++ b/drivers/virt/acrn/hsm.c
> @@ -49,7 +49,7 @@ static int pmcmd_ioctl(u64 cmd, void __user *uptr)
>  	switch (cmd & PMCMD_TYPE_MASK) {
>  	case ACRN_PMCMD_GET_PX_CNT:
>  	case ACRN_PMCMD_GET_CX_CNT:
> -		pm_info = kmalloc(sizeof(u64), GFP_KERNEL);
> +		pm_info = kzalloc(sizeof(u64), GFP_KERNEL);
>  		if (!pm_info)
>  			return -ENOMEM;
> 
> @@ -64,7 +64,7 @@ static int pmcmd_ioctl(u64 cmd, void __user *uptr)
>  		kfree(pm_info);
>  		break;
>  	case ACRN_PMCMD_GET_PX_DATA:
> -		px_data = kmalloc(sizeof(*px_data), GFP_KERNEL);
> +		px_data = kzalloc(sizeof(*px_data), GFP_KERNEL);
>  		if (!px_data)
>  			return -ENOMEM;
> 
> @@ -79,7 +79,7 @@ static int pmcmd_ioctl(u64 cmd, void __user *uptr)
>  		kfree(px_data);
>  		break;
>  	case ACRN_PMCMD_GET_CX_DATA:
> -		cx_data = kmalloc(sizeof(*cx_data), GFP_KERNEL);
> +		cx_data = kzalloc(sizeof(*cx_data), GFP_KERNEL);
>  		if (!cx_data)
>  			return -ENOMEM;
> 
> --
> 2.34.1