From nobody Tue Apr 7 10:40:45 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 426FCECAAD4 for ; Mon, 29 Aug 2022 07:34:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229636AbiH2Hey (ORCPT ); Mon, 29 Aug 2022 03:34:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229526AbiH2Heu (ORCPT ); Mon, 29 Aug 2022 03:34:50 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5B290271E for ; Mon, 29 Aug 2022 00:34:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661758487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=ivp8SkSbzWYeukb9RmMR/+ypBwoHgCA1ggb1pX9wCGY=; b=DTFfXWycfJpWbAOyn9oON/hcj88O94olHPcfZdto3R4S9OW+JI1V3uM9gUytn9wPOKsME8 8ky9bumyxm8/5SWUfAGIhzKOzTkOoSI8N/Y7ayw8AKBI0AY9rJV7F6Eg7IMrBXfkabFiOh 4b4bxq6KokclnOmQpVX6HheONFaI5bE= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-433-XdSkkRb2Pn6saeyjF857mA-1; Mon, 29 Aug 2022 03:34:43 -0400 X-MC-Unique: XdSkkRb2Pn6saeyjF857mA-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1E77B185A7B2; Mon, 29 Aug 2022 07:34:43 +0000 (UTC) Received: from max-t490s.redhat.com (unknown [10.39.208.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id BAA65492C3B; Mon, 29 Aug 2022 07:34:40 +0000 (UTC) From: Maxime Coquelin To: linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, elic@nvidia.com, guanjun@linux.alibaba.com, parav@nvidia.com, gautam.dawar@xilinx.com, dan.carpenter@oracle.com, xieyongji@bytedance.com, jasowang@redhat.com, mst@redhat.com Cc: Maxime Coquelin , stable@vger.kernel.org Subject: [PATCH v2] vduse: prevent uninitialized memory accesses Date: Mon, 29 Aug 2022 09:34:24 +0200 Message-Id: <20220829073424.5677-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If the VDUSE application provides a smaller config space than the driver expects, the driver may use uninitialized memory from the stack. This patch prevents it by initializing the buffer passed by the driver to store the config value. This fix addresses CVE-2022-2308. Cc: xieyongji@bytedance.com Cc: stable@vger.kernel.org # v5.15+ Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Acked-by: Jason Wang Signed-off-by: Maxime Coquelin Reviewed-by: Xie Yongji --- drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vd= use_dev.c index 41c0b29739f1..35dceee3ed56 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -673,10 +673,15 @@ static void vduse_vdpa_get_config(struct vdpa_device = *vdpa, unsigned int offset, { struct vduse_dev *dev =3D vdpa_to_vduse(vdpa); =20 - if (offset > dev->config_size || - len > dev->config_size - offset) + /* Initialize the buffer in case of partial copy. */ + memset(buf, 0, len); + + if (offset > dev->config_size) return; =20 + if (len > dev->config_size - offset) + len =3D dev->config_size - offset; + memcpy(buf, dev->config + offset, len); } =20 --=20 2.37.2