$NetBSD: patch-CVE-2015-2044,v 1.1 2015/03/05 13:44:57 spz Exp $

x86/HVM: return all ones on wrong-sized reads of system device I/O ports

So far the value presented to the guest remained uninitialized.

This is CVE-2015-2044 / XSA-121.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

--- xen/arch/x86/hvm/rtc.c.orig	2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/hvm/rtc.c
@@ -619,7 +619,8 @@ static int handle_rtc_io(
 
     if ( bytes != 1 )
     {
-        gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
+        gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
     
--- xen/arch/x86/hvm/i8254.c.orig	2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/hvm/i8254.c
@@ -478,6 +478,7 @@ static int handle_pit_io(
     if ( bytes != 1 )
     {
         gdprintk(XENLOG_WARNING, "PIT bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
 
--- xen/arch/x86/hvm/pmtimer.c.orig	2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/hvm/pmtimer.c
@@ -213,6 +213,7 @@ static int handle_pmt_io(
     if ( bytes != 4 )
     {
         gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
+        *val = ~0;
         return X86EMUL_OKAY;
     }
     
--- xen/arch/x86/hvm/vpic.c.orig	2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/hvm/vpic.c
@@ -324,6 +324,7 @@ static int vpic_intercept_pic_io(
     if ( bytes != 1 )
     {
         gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
+        *val = ~0;
         return X86EMUL_OKAY;
     }
 
