From: Jan Beulich <jbeulich@suse.com>

Subject: x86/HVM: prefill partially used variable on emulation paths

Certain handlers ignore the access size (vioapic_write() being the

example this was found with), perhaps leading to subsequent reads

seeing data that wasn't actually written by the guest. For

consistency and extra safety also do this on the read path of

hvm_process_io_intercept(), even if this doesn't directly affect what

guests get to see, as we've supposedly already dealt with read handlers

leaving data completely unitialized.

This is XSA-239.

Reported-by: Roger Pau Monné <roger.pau@citrix.com>

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/emulate.c

+++ b/xen/arch/x86/hvm/emulate.c

@@ -129,7 +129,7 @@ static int hvmemul_do_io(

         .count = *reps,

         .dir = dir,

         .df = df,

-        .data = data,

+        .data = data_is_addr ? data : 0,

         .data_is_ptr = data_is_addr, /* ioreq_t field name is misleading */

         .state = STATE_IOREQ_READY,

     };

--- a/xen/arch/x86/hvm/intercept.c

+++ b/xen/arch/x86/hvm/intercept.c

@@ -127,6 +127,7 @@ int hvm_process_io_intercept(const struc

             addr = (p->type == IOREQ_TYPE_COPY) ?

                    p->addr + step * i :

                    p->addr;

+            data = 0;

             rc = ops->read(handler, addr, p->size, &data);

             if ( rc != X86EMUL_OKAY )

                 break;

@@ -161,6 +162,7 @@ int hvm_process_io_intercept(const struc

         {

             if ( p->data_is_ptr )

             {

+                data = 0;

                 switch ( hvm_copy_from_guest_phys(&data, p->data + step * i,

                                                   p->size) )

                 {