Commit 85d9d044 authored by Li Qiang's avatar Li Qiang Committed by Gerd Hoffmann
Browse files

virtio-gpu: fix information leak in capset get dispatch 



In virgl_cmd_get_capset function, it uses g_malloc to allocate
a response struct to the guest. As the 'resp'struct hasn't been full
initialized it will lead the 'resp->padding' field to the guest.
Use g_malloc0 to avoid this.

Signed-off-by: default avatarLi Qiang <liqiang6-s@360.cn>
Reviewed-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com

[ kraxel: resolved conflict ]

Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent b44486df

hw/display/virtio-gpu-3d.c

+1 −1
Original line number Diff line number Diff line
@@ -379,7 +379,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, 
        return;

    }



    resp = g_malloc(sizeof(*resp) + max_size);

    resp = g_malloc0(sizeof(*resp) + max_size);

    resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;

    virgl_renderer_fill_caps(gc.capset_id,

                             gc.capset_version,