From nobody Tue Apr  7 00:37:11 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 405A2ECAAD4
	for <linux-kernel@archiver.kernel.org>; Wed, 31 Aug 2022 15:49:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231248AbiHaPt5 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 31 Aug 2022 11:49:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58888 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231947AbiHaPtu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Aug 2022 11:49:50 -0400
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EED9E0C0
        for <linux-kernel@vger.kernel.org>;
 Wed, 31 Aug 2022 08:49:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1661960980;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding;
        bh=q9qyQHrk2nVMvzPYEUreuyJ0t4W+wThvROhfwSArm9k=;
        b=ZZOC43E1oeHWy3lEKZAL9xX4gTfY9CRj2lFPvJWOnQw9N9/c8cLOmt60hOfWYC5YLl+xBU
        RiXSq6qv87kr1Rjav/SVxDEJ1RAu/Oa2ZfY3I+Ak7+FnG9JvRRRXAdAsR+07sJg4xw4wxe
        h3bIuCcs7f34nX68TqghnAqxl+u6n00=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-596-k-QuRm5yOhqepR0DrqmzXg-1; Wed, 31 Aug 2022 11:49:36 -0400
X-MC-Unique: k-QuRm5yOhqepR0DrqmzXg-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
 [10.11.54.4])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DFC20185A7A4;
        Wed, 31 Aug 2022 15:49:35 +0000 (UTC)
Received: from max-t490s.redhat.com (unknown [10.39.208.41])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 670822026D4C;
        Wed, 31 Aug 2022 15:49:33 +0000 (UTC)
From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: linux-kernel@vger.kernel.org,
        virtualization@lists.linux-foundation.org, elic@nvidia.com,
        guanjun@linux.alibaba.com, parav@nvidia.com,
        gautam.dawar@xilinx.com, dan.carpenter@oracle.com,
        xieyongji@bytedance.com, jasowang@redhat.com, mst@redhat.com
Cc: gregkh@linuxfoundation.org,
        Maxime Coquelin <maxime.coquelin@redhat.com>,
        stable@vger.kernel.org
Subject: [PATCH v3] vduse: prevent uninitialized memory accesses
Date: Wed, 31 Aug 2022 17:49:23 +0200
Message-Id: <20220831154923.97809-1-maxime.coquelin@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

If the VDUSE application provides a smaller config space
than the driver expects, the driver may use uninitialized
memory from the stack.

This patch prevents it by initializing the buffer passed by
the driver to store the config value.

This fix addresses CVE-2022-2308.

Cc: stable@vger.kernel.org # v5.15+
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
---
 drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vd=
use_dev.c
index 41c0b29739f1..35dceee3ed56 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -673,10 +673,15 @@ static void vduse_vdpa_get_config(struct vdpa_device =
*vdpa, unsigned int offset,
 {
 	struct vduse_dev *dev =3D vdpa_to_vduse(vdpa);
=20
-	if (offset > dev->config_size ||
-	    len > dev->config_size - offset)
+	/* Initialize the buffer in case of partial copy. */
+	memset(buf, 0, len);
+
+	if (offset > dev->config_size)
 		return;
=20
+	if (len > dev->config_size - offset)
+		len =3D dev->config_size - offset;
+
 	memcpy(buf, dev->config + offset, len);
 }
=20
--=20
2.37.2