1. Patchew
  2. linux
  3. View series

[PATCH v2] vduse: prevent uninitialized memory accesses

Maxime Coquelin posted 1 patch 3 years, 7 months ago
There is a newer version of this series
drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
[PATCH v2] vduse: prevent uninitialized memory accesses
Posted by Maxime Coquelin 3 years, 7 months ago 
If the VDUSE application provides a smaller config space
than the driver expects, the driver may use uninitialized
memory from the stack.

This patch prevents it by initializing the buffer passed by
the driver to store the config value.

This fix addresses CVE-2022-2308.

Cc: xieyongji@bytedance.com
Cc: stable@vger.kernel.org # v5.15+
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")

Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index 41c0b29739f1..35dceee3ed56 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -673,10 +673,15 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset,
 {
 	struct vduse_dev *dev = vdpa_to_vduse(vdpa);
 
-	if (offset > dev->config_size ||
-	    len > dev->config_size - offset)
+	/* Initialize the buffer in case of partial copy. */
+	memset(buf, 0, len);
+
+	if (offset > dev->config_size)
 		return;
 
+	if (len > dev->config_size - offset)
+		len = dev->config_size - offset;
+
 	memcpy(buf, dev->config + offset, len);
 }
 
-- 
2.37.2
Re: [PATCH v2] vduse: prevent uninitialized memory accesses
Posted by Yongji Xie 3 years, 7 months ago 
On Mon, Aug 29, 2022 at 3:34 PM Maxime Coquelin
<maxime.coquelin@redhat.com> wrote:
>
> If the VDUSE application provides a smaller config space
> than the driver expects, the driver may use uninitialized
> memory from the stack.
>
> This patch prevents it by initializing the buffer passed by
> the driver to store the config value.
>
> This fix addresses CVE-2022-2308.
>
> Cc: xieyongji@bytedance.com
> Cc: stable@vger.kernel.org # v5.15+
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
>
> Acked-by: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Reviewed-by: Xie Yongji <xieyongji@bytedance.com>

Thanks,
Yongji
Re: [PATCH v2] vduse: prevent uninitialized memory accesses
Posted by Greg KH 3 years, 7 months ago 
On Mon, Aug 29, 2022 at 09:34:24AM +0200, Maxime Coquelin wrote:
> If the VDUSE application provides a smaller config space
> than the driver expects, the driver may use uninitialized
> memory from the stack.
> 
> This patch prevents it by initializing the buffer passed by
> the driver to store the config value.
> 
> This fix addresses CVE-2022-2308.
> 
> Cc: xieyongji@bytedance.com
> Cc: stable@vger.kernel.org # v5.15+
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> 
> Acked-by: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Please no blank line above the Acked-by: line here if possible.

thanks,

greg k-h
Re: [PATCH v2] vduse: prevent uninitialized memory accesses
Posted by Maxime Coquelin 3 years, 7 months ago 
On 8/29/22 09:48, Greg KH wrote:
> On Mon, Aug 29, 2022 at 09:34:24AM +0200, Maxime Coquelin wrote:
>> If the VDUSE application provides a smaller config space
>> than the driver expects, the driver may use uninitialized
>> memory from the stack.
>>
>> This patch prevents it by initializing the buffer passed by
>> the driver to store the config value.
>>
>> This fix addresses CVE-2022-2308.
>>
>> Cc: xieyongji@bytedance.com
>> Cc: stable@vger.kernel.org # v5.15+
>> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
>>
>> Acked-by: Jason Wang <jasowang@redhat.com>
>> Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
> 
> Please no blank line above the Acked-by: line here if possible.

Sure.

Jason, do you prefer I post a new revision with this single change or
you will handle it while applying? Either way is fine to me.

Thanks,
Maxime

> thanks,
> 
> greg k-h
>
Re: [PATCH v2] vduse: prevent uninitialized memory accesses
Posted by Michael S. Tsirkin 3 years, 7 months ago 
On Wed, Aug 31, 2022 at 05:01:11PM +0200, Maxime Coquelin wrote:
> On 8/29/22 09:48, Greg KH wrote:
> > On Mon, Aug 29, 2022 at 09:34:24AM +0200, Maxime Coquelin wrote:
> > > If the VDUSE application provides a smaller config space
> > > than the driver expects, the driver may use uninitialized
> > > memory from the stack.
> > > 
> > > This patch prevents it by initializing the buffer passed by
> > > the driver to store the config value.
> > > 
> > > This fix addresses CVE-2022-2308.
> > > 
> > > Cc: xieyongji@bytedance.com
> > > Cc: stable@vger.kernel.org # v5.15+
> > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> > > 
> > > Acked-by: Jason Wang <jasowang@redhat.com>
> > > Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
> > 
> > Please no blank line above the Acked-by: line here if possible.
> 
> Sure.
> 
> Jason, do you prefer I post a new revision with this single change or
> you will handle it while applying? Either way is fine to me.
> 
> Thanks,
> Maxime

I queue these normally.

> > thanks,
> > 
> > greg k-h
> >
Re: [PATCH v2] vduse: prevent uninitialized memory accesses
Posted by Maxime Coquelin 3 years, 7 months ago 

On 8/31/22 17:46, Michael S. Tsirkin wrote:
> On Wed, Aug 31, 2022 at 05:01:11PM +0200, Maxime Coquelin wrote:
>> On 8/29/22 09:48, Greg KH wrote:
>>> On Mon, Aug 29, 2022 at 09:34:24AM +0200, Maxime Coquelin wrote:
>>>> If the VDUSE application provides a smaller config space
>>>> than the driver expects, the driver may use uninitialized
>>>> memory from the stack.
>>>>
>>>> This patch prevents it by initializing the buffer passed by
>>>> the driver to store the config value.
>>>>
>>>> This fix addresses CVE-2022-2308.
>>>>
>>>> Cc: xieyongji@bytedance.com
>>>> Cc: stable@vger.kernel.org # v5.15+
>>>> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
>>>>
>>>> Acked-by: Jason Wang <jasowang@redhat.com>
>>>> Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
>>>
>>> Please no blank line above the Acked-by: line here if possible.
>>
>> Sure.
>>
>> Jason, do you prefer I post a new revision with this single change or
>> you will handle it while applying? Either way is fine to me.
>>
>> Thanks,
>> Maxime
> 
> I queue these normally.

Ok, I'm preparing the V2.

Thanks,
Maxime

>>> thanks,
>>>
>>> greg k-h
>>>
>
Re: [PATCH v2] vduse: prevent uninitialized memory accesses
Posted by Michael S. Tsirkin 3 years, 7 months ago 
On Wed, Aug 31, 2022 at 05:01:11PM +0200, Maxime Coquelin wrote:
> On 8/29/22 09:48, Greg KH wrote:
> > On Mon, Aug 29, 2022 at 09:34:24AM +0200, Maxime Coquelin wrote:
> > > If the VDUSE application provides a smaller config space
> > > than the driver expects, the driver may use uninitialized
> > > memory from the stack.
> > > 
> > > This patch prevents it by initializing the buffer passed by
> > > the driver to store the config value.
> > > 
> > > This fix addresses CVE-2022-2308.
> > > 
> > > Cc: xieyongji@bytedance.com
> > > Cc: stable@vger.kernel.org # v5.15+
> > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> > > 
> > > Acked-by: Jason Wang <jasowang@redhat.com>
> > > Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
> > 
> > Please no blank line above the Acked-by: line here if possible.
> 
> Sure.
> 
> Jason, do you prefer I post a new revision with this single change or
> you will handle it while applying? Either way is fine to me.
> 
> Thanks,
> Maxime

Repost pls, easier.

> > thanks,
> > 
> > greg k-h
> >

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.