CVE-2014-4022
http://xenbits.xen.org/xsa/advisory-101.html
information leak via gnttab_setup_table on ARM
When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain’s grant table pages. This list is returned by the GNTTABOP_setup_table subhypercall, leading to an information leak.
uninitialized memory
http://xenbits.xen.org/xsa/xsa101.patch
xen: arm: initialise the grant_table_gpfn array on allocation
Avoids leaking uninitialised memory via the grant table setup hypercall.
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -394,7 +394,7 @@ struct domain *alloc_domain_struct(void)
return NULL;
clear_page(d);
- d->arch.grant_table_gpfn = xmalloc_array(xen_pfn_t, max_nr_grant_frames);
+ d->arch.grant_table_gpfn = xzalloc_array(xen_pfn_t, max_nr_grant_frames);
return d;
}将xmalloc换成xzalloc,将memory初始化成0.
Malicious guest administrators can obtain some of the memory contents of other domains:
Up to 8*maxnrgrant_frames bytes of uninitialised memory can be leaked to the calling domain. This memory may have been previously used by either the hypervisor or other guests.
The default max_nr_grant_frames is 32, hence by default 256 bytes may be leaked in this way. However this can be overridden via the
gnttab_max_nr_frameshypervisor command line option.
information leak