XSA-132

CVE-2015-3340


问题描述

http://xenbits.xen.org/xsa/advisory-132.html

information leak through uninitialized memory:

The handler for XENDOMCTLgettscinfo and XENSYSCTLgetdomaininfolist failed to initialize a padding field subsequently copied to guest memory.

uninitialized memory


Patch描述

http://xenbits.xen.org/xsa/xsa132-4.2.patch

--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -1200,7 +1200,7 @@ long arch_do_domctl(
     case XEN_DOMCTL_gettscinfo:
     {
         struct domain *d;
-        xen_guest_tsc_info_t info;
+        xen_guest_tsc_info_t info = { 0 };
 
         ret = -ESRCH;
         d = rcu_lock_domain_by_id(domctl->domain);
--- a/xen/common/sysctl.c
+++ b/xen/common/sysctl.c
@@ -95,7 +95,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe
     case XEN_SYSCTL_getdomaininfolist:
     { 
         struct domain *d;
-        struct xen_domctl_getdomaininfo info;
+        struct xen_domctl_getdomaininfo info = { 0 };

就是做了个初始化。


Consequence

Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 may be able to read sensitive data relating to the hypervisor or other guests not under the control of that domain.

Information leak