• Christian Borntraeger's avatar
    KVM: s390: do not expose random data via facility bitmap · 04478197
    Christian Borntraeger authored
    kvm_s390_get_machine() populates the facility bitmap by copying bytes
    from the host results that are stored in a 256 byte array in the prefix
    page. The KVM code does use the size of the target buffer (2k), thus
    copying and exposing unrelated kernel memory (mostly machine check
    related logout data).
    
    Let's use the size of the source buffer instead.  This is ok, as the
    target buffer will always be greater or equal than the source buffer as
    the KVM internal buffers (and thus S390_ARCH_FAC_LIST_SIZE_BYTE) cover
    the maximum possible size that is allowed by STFLE, which is 256
    doublewords. All structures are zero allocated so we can leave bytes
    256-2047 unchanged.
    
    Add a similar fix for kvm_arch_init_vm().
    Reported-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
    [found with smatch]
    Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
    CC: stable@vger.kernel.org
    Acked-by: default avatarCornelia Huck <cornelia.huck@de.ibm.com>
    04478197
kvm-s390.c 86.3 KB