From patchwork Tue Nov  1 09:53:11 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Qiang <liq3ea@gmail.com>
X-Patchwork-Id: 689801
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3t7RQq0hnsz9sXx
	for <incoming@patchwork.ozlabs.org>;
	Tue,  1 Nov 2016 20:54:25 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=cgjmWyz7;
	dkim-atps=neutral
Received: from localhost ([::1]:46584 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1c1Vlu-0007g7-4E
	for incoming@patchwork.ozlabs.org; Tue, 01 Nov 2016 05:54:22 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47754)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1c1VlD-0007NY-EN
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 05:53:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1c1VlA-0006Lo-DS
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 05:53:39 -0400
Received: from mail-oi0-x241.google.com ([2607:f8b0:4003:c06::241]:34127)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <liq3ea@gmail.com>) id 1c1VlA-0006Lh-7k
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 05:53:36 -0400
Received: by mail-oi0-x241.google.com with SMTP id 62so13090770oif.1
	for <qemu-devel@nongnu.org>; Tue, 01 Nov 2016 02:53:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:from:to:cc:subject:date;
	bh=uczMqE72Se6sDh/sLMlGqFf8kgZYmkdRxSsY/Si7iXo=;
	b=cgjmWyz7ailQj87ib4fY41rJPNuevkLIeFKOOVC7HYJbRL1bFuzzXeEp5Sp0I4T0Ow
	kk/SSyfHTqbIUi8RhCPRuW349n4saiBs7ofEzwzU9BZObPjbsfCsga6fkivwSYtGmj+7
	ZvO74leYAgSp7IPKztMDDGTCkHlkgVGvXdvc0yFP+jrGPJdDMdQvA6C9CLG6Jd9HuRoo
	4fKC2M4BhuVGYESHpwR4YakEgvn5k9OsrReJnoD8SGYeVizzTJSADMtrBR+L4KHTcmb6
	hqny0xntZpLQtUTjpxYXNjGc0Nh+H8jHr+vzRS9x2ssnTn2vyyaAmG2b6nSW7TqUTaSA
	T28Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:message-id:from:to:cc:subject:date;
	bh=uczMqE72Se6sDh/sLMlGqFf8kgZYmkdRxSsY/Si7iXo=;
	b=BLC28ADPzegIglkisijWfjNqQePSlPZcwx2qWHdfHE/t8tkhJS7+2QkjmHgyC7yTUR
	FqewvBz3ekKnuJ/ut3rkhU9+CWy8NcL0FoFoeInAW3hsXqmhO+reYq4LRG8KuYjhtF8G
	Z2kR18eXkSNifkJkRV0Vpf+jaxwaL3vAmYPdrSP+PXYQdDRcndL56GXvB9u99W6xVKKp
	wFQbZ3nQf+SGi7i72fLrdUwI7EgYNPddEIxq7rIs/jp0Es1+5+SNcOYfeljaAXQr4GqO
	c+ZXmzR1+kRKQdZeolUl36kdz/WdvlYkbm81sA+ShpsIXPPglrJbJGPWcfZr/ptzqepe
	nJJA==
X-Gm-Message-State: 
 ABUngvf7A9tfWptj1kNwt/LhJGIjBmzlRiR80Z6NQ3efJULPvQAur+dmmiLSEOIJSXBTRA==
X-Received: by 10.107.168.223 with SMTP id e92mr310865ioj.40.1477994015034;
	Tue, 01 Nov 2016 02:53:35 -0700 (PDT)
Received: from localhost.localdomain.localdomain ([104.192.110.250])
	by smtp.gmail.com with ESMTPSA id
	i8sm10276234itc.11.2016.11.01.02.53.32
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 01 Nov 2016 02:53:34 -0700 (PDT)
Message-ID: <5818661e.0860240a.77264.7a56@mx.google.com>
X-Google-Original-Message-ID: 
 <1477993991-10537-1-git-send-email-Qiang(liqiang6-s@360.cn)>
From: Li Qiang <liq3ea@gmail.com>
X-Google-Original-From: Li Qiang(liqiang6-s@360.cn)
To: kraxel@redhat.com,
	qemu-devel@nongnu.org
Date: Tue,  1 Nov 2016 02:53:11 -0700
X-Mailer: git-send-email 1.8.3.1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2607:f8b0:4003:c06::241
Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in getting
	capset info dispatch
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Li Qiang <liqiang6-s@360.cn>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

From: Li Qiang <liqiang6-s@360.cn>

In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
been full initialized before writing to the guest. This will leak
the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
patch fix this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
---
 hw/display/virtio-gpu-3d.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 758d33a..23f39de 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
 
     VIRTIO_GPU_FILL_CMD(info);
 
+    memset(&resp, 0, sizeof(resp));
     if (info.capset_index == 0) {
         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
         virgl_renderer_get_cap_set(resp.capset_id,