| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220402035749.GA31424@kili>
Date: Sat, 2 Apr 2022 06:57:49 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Sasha Levin <sashal@...nel.org>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Laura Abbott <labbott@...nel.org>,
Luo Likang <luolikang@...ocus.com>,
"Michael S . Tsirkin" <mst@...hat.com>, jasowang@...hat.com,
kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org,
netdev@...r.kernel.org, oss-security@...ts.openwall.com
Subject: Re: [PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret
value handling
The mitre.org page
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0998
says this is a fix for CVE-2022-0998 but if you apply it by itself it
creates a serious security problem. Originally this bug only affected
32 bit systems but this patch will change it to affect everyone.
You need to apply commit 3ed21c1451a1 ("vdpa: check that offsets are
within bounds").
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ed21c1451a14d139e1ceb18f2fa70865ce3195a
I don't know if this affects anyone, but it seemed worth mentioning.
regards,
dan carpenter
On Sat, Jan 22, 2022 at 07:12:12PM -0500, Sasha Levin wrote:
> From: Laura Abbott <labbott@...nel.org>
>
> [ Upstream commit 870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0 ]
>
> The return type of get_config_size is size_t so it makes
> sense to change the type of the variable holding its result.
>
> That said, this already got taken care of (differently, and arguably
> not as well) by commit 3ed21c1451a1 ("vdpa: check that offsets are
> within bounds").
>
> The added 'c->off > size' test in that commit will be done as an
> unsigned comparison on 32-bit (safe due to not being signed).
>
> On a 64-bit platform, it will be done as a signed comparison, but in
> that case the comparison will be done in 64-bit, and 'c->off' being an
> u32 it will be valid thanks to the extended range (ie both values will
> be positive in 64 bits).
>
> So this was a real bug, but it was already addressed and marked for stable.
>
> Signed-off-by: Laura Abbott <labbott@...nel.org>
> Reported-by: Luo Likang <luolikang@...ocus.com>
> Signed-off-by: Michael S. Tsirkin <mst@...hat.com>
> Signed-off-by: Sasha Levin <sashal@...nel.org>
> ---
> drivers/vhost/vdpa.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index d62f05d056b7b..913cd465f9f1e 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -195,7 +195,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v,
> struct vhost_vdpa_config *c)
> {
> struct vdpa_device *vdpa = v->vdpa;
> - long size = vdpa->config->get_config_size(vdpa);
> + size_t size = vdpa->config->get_config_size(vdpa);
>
> if (c->len == 0 || c->off > size)
> return -EINVAL;
> --
> 2.34.1
>
>
Powered by blists - more mailing lists