Headline
CVE-2022-0998: [PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret value handling
An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.
From: Sasha Levin [email protected] To: [email protected], [email protected] Cc: Laura Abbott [email protected], Luo Likang [email protected], “Michael S . Tsirkin” [email protected], Sasha Levin [email protected], [email protected], [email protected], [email protected], [email protected] Subject: [PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret value handling Date: Sat, 22 Jan 2022 19:12:12 -0500 [thread overview] Message-ID: [email protected] (raw) In-Reply-To: <[email protected]>
From: Laura Abbott [email protected]
[ Upstream commit 870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0 ]
The return type of get_config_size is size_t so it makes sense to change the type of the variable holding its result.
That said, this already got taken care of (differently, and arguably not as well) by commit 3ed21c1451a1 (“vdpa: check that offsets are within bounds”).
The added ‘c->off > size’ test in that commit will be done as an unsigned comparison on 32-bit (safe due to not being signed).
On a 64-bit platform, it will be done as a signed comparison, but in that case the comparison will be done in 64-bit, and ‘c->off’ being an u32 it will be valid thanks to the extended range (ie both values will be positive in 64 bits).
So this was a real bug, but it was already addressed and marked for stable.
Signed-off-by: Laura Abbott [email protected] Reported-by: Luo Likang [email protected] Signed-off-by: Michael S. Tsirkin [email protected] Signed-off-by: Sasha Levin [email protected]
drivers/vhost/vdpa.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c index d62f05d056b7b…913cd465f9f1e 100644 — a/drivers/vhost/vdpa.c +++ b/drivers/vhost/vdpa.c @@ -195,7 +195,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v, struct vhost_vdpa_config *c) { struct vdpa_device *vdpa = v->vdpa; - long size = vdpa->config->get_config_size(vdpa);
size_t size = vdpa->config->get_config_size(vdpa);
if (c->len == 0 || c->off > size) return -EINVAL; – 2.34.1
next prev parent reply other threads:[~2022-01-23 0:14 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <[email protected]> 2022-01-23 0:12 ` [PATCH AUTOSEL 5.15 07/16] sit: allow encapsulated IPv6 traffic to be delivered locally Sasha Levin 2022-01-23 0:12 ` [PATCH AUTOSEL 5.15 09/16] net: apple: mace: Fix build since dev_addr constification Sasha Levin 2022-01-23 0:12 ` [PATCH AUTOSEL 5.15 10/16] net: apple: bmac: " Sasha Levin 2022-01-23 0:12 ` [PATCH AUTOSEL 5.15 12/16] vhost/test: fix memory leak of vhost virtqueues Sasha Levin 2022-01-23 0:12 ` Sasha Levin [this message] 2022-04-02 3:57 ` [PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret value handling Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email using any one of the following methods:
* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):
git send-email \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ /path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).