|
Message-ID: <20220402035749.GA31424@kili> Date: Sat, 2 Apr 2022 06:57:49 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Sasha Levin <sashal@...nel.org> Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org, Laura Abbott <labbott@...nel.org>, Luo Likang <luolikang@...ocus.com>, "Michael S . Tsirkin" <mst@...hat.com>, jasowang@...hat.com, kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org, netdev@...r.kernel.org, oss-security@...ts.openwall.com Subject: Re: [PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret value handling The mitre.org page https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0998 says this is a fix for CVE-2022-0998 but if you apply it by itself it creates a serious security problem. Originally this bug only affected 32 bit systems but this patch will change it to affect everyone. You need to apply commit 3ed21c1451a1 ("vdpa: check that offsets are within bounds"). https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ed21c1451a14d139e1ceb18f2fa70865ce3195a I don't know if this affects anyone, but it seemed worth mentioning. regards, dan carpenter On Sat, Jan 22, 2022 at 07:12:12PM -0500, Sasha Levin wrote: > From: Laura Abbott <labbott@...nel.org> > > [ Upstream commit 870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0 ] > > The return type of get_config_size is size_t so it makes > sense to change the type of the variable holding its result. > > That said, this already got taken care of (differently, and arguably > not as well) by commit 3ed21c1451a1 ("vdpa: check that offsets are > within bounds"). > > The added 'c->off > size' test in that commit will be done as an > unsigned comparison on 32-bit (safe due to not being signed). > > On a 64-bit platform, it will be done as a signed comparison, but in > that case the comparison will be done in 64-bit, and 'c->off' being an > u32 it will be valid thanks to the extended range (ie both values will > be positive in 64 bits). > > So this was a real bug, but it was already addressed and marked for stable. > > Signed-off-by: Laura Abbott <labbott@...nel.org> > Reported-by: Luo Likang <luolikang@...ocus.com> > Signed-off-by: Michael S. Tsirkin <mst@...hat.com> > Signed-off-by: Sasha Levin <sashal@...nel.org> > --- > drivers/vhost/vdpa.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > index d62f05d056b7b..913cd465f9f1e 100644 > --- a/drivers/vhost/vdpa.c > +++ b/drivers/vhost/vdpa.c > @@ -195,7 +195,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v, > struct vhost_vdpa_config *c) > { > struct vdpa_device *vdpa = v->vdpa; > - long size = vdpa->config->get_config_size(vdpa); > + size_t size = vdpa->config->get_config_size(vdpa); > > if (c->len == 0 || c->off > size) > return -EINVAL; > -- > 2.34.1 > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.