[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] hw/virtio/virtio-balloon: zero-initialize the v
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
Re: [Qemu-devel] [PATCH] hw/virtio/virtio-balloon: zero-initialize the virtio_balloon_config struct |
|
Date: |
Mon, 21 Jan 2019 11:42:12 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 |
On 1/18/19 7:36 PM, Peter Maydell wrote:
> In virtio_balloon_get_config() we initialize a struct virtio_balloon_config
> which we then copy to guest memory. However, the local variable is not
> zero initialized. This works OK at the moment because we initialize
> all the fields in it; however an upcoming kernel header change will
> add some new fields. If we don't zero out the whole struct then we
> will start leaking a small amount of the contents of QEMU's stack
> to the guest as soon as we update linux-headers/ to a set of headers
> that includes the new fields.
Is it worth Cc'ing address@hidden
>
> Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
> ---
> It looks like none of the other virtio devices have this bug.
> Tested with "make check" only.
> As the commit message notes, must go in before our next headers update.
> ---
> hw/virtio/virtio-balloon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
> index 1728e4f83af..a12677d4d5b 100644
> --- a/hw/virtio/virtio-balloon.c
> +++ b/hw/virtio/virtio-balloon.c
> @@ -311,7 +311,7 @@ out:
> static void virtio_balloon_get_config(VirtIODevice *vdev, uint8_t
> *config_data)
> {
> VirtIOBalloon *dev = VIRTIO_BALLOON(vdev);
> - struct virtio_balloon_config config;
> + struct virtio_balloon_config config = {};
>
> config.num_pages = cpu_to_le32(dev->num_pages);
> config.actual = cpu_to_le32(dev->actual);
>