| From foo@baz Sun Jun 17 12:07:33 CEST 2018 |
| From: Simon Gaiser <simon@invisiblethingslab.com> |
| Date: Thu, 15 Mar 2018 04:08:03 +0100 |
| Subject: xen: xenbus_dev_frontend: Really return response string |
| |
| From: Simon Gaiser <simon@invisiblethingslab.com> |
| |
| [ Upstream commit ebf04f331fa15a966262341a7dc6b1a0efd633e4 ] |
| |
| xenbus_command_reply() did not actually copy the response string and |
| leaked stack content instead. |
| |
| Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc") |
| Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com> |
| Reviewed-by: Juergen Gross <jgross@suse.com> |
| Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/xen/xenbus/xenbus_dev_frontend.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/xen/xenbus/xenbus_dev_frontend.c |
| +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c |
| @@ -403,7 +403,7 @@ static int xenbus_command_reply(struct x |
| { |
| struct { |
| struct xsd_sockmsg hdr; |
| - const char body[16]; |
| + char body[16]; |
| } msg; |
| int rc; |
| |
| @@ -412,6 +412,7 @@ static int xenbus_command_reply(struct x |
| msg.hdr.len = strlen(reply) + 1; |
| if (msg.hdr.len > sizeof(msg.body)) |
| return -E2BIG; |
| + memcpy(&msg.body, reply, msg.hdr.len); |
| |
| mutex_lock(&u->reply_mutex); |
| rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len); |