]>
Commit | Line | Data |
---|---|---|
f262231e WB |
1 | From bde803ceb42d6bddc06a1881c00acdf203214772 Mon Sep 17 00:00:00 2001 |
2 | From: Li Qiang <liqiang6-s@360.cn> | |
3 | Date: Tue, 1 Nov 2016 05:37:57 -0700 | |
4 | Subject: [PATCH 10/12] virtio-gpu: fix information leak in capset get dispatch | |
5 | ||
6 | In virgl_cmd_get_capset function, it uses g_malloc to allocate | |
7 | a response struct to the guest. As the 'resp'struct hasn't been full | |
8 | initialized it will lead the 'resp->padding' field to the guest. | |
9 | Use g_malloc0 to avoid this. | |
10 | ||
11 | Signed-off-by: Li Qiang <liqiang6-s@360.cn> | |
12 | --- | |
13 | hw/display/virtio-gpu-3d.c | 2 +- | |
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
15 | ||
16 | diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c | |
17 | index 23f39de..d98b140 100644 | |
18 | --- a/hw/display/virtio-gpu-3d.c | |
19 | +++ b/hw/display/virtio-gpu-3d.c | |
20 | @@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, | |
21 | ||
22 | virgl_renderer_get_cap_set(gc.capset_id, &max_ver, | |
23 | &max_size); | |
24 | - resp = g_malloc(sizeof(*resp) + max_size); | |
25 | + resp = g_malloc0(sizeof(*resp) + max_size); | |
26 | ||
27 | resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; | |
28 | virgl_renderer_fill_caps(gc.capset_id, | |
29 | -- | |
30 | 2.1.4 | |
31 |