lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 2 Apr 2022 06:57:49 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Sasha Levin <sashal@...nel.org> Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org, Laura Abbott <labbott@...nel.org>, Luo Likang <luolikang@...ocus.com>, "Michael S . Tsirkin" <mst@...hat.com>, jasowang@...hat.com, kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org, netdev@...r.kernel.org, oss-security@...ts.openwall.com Subject: Re: [PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret value handling The mitre.org page https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0998 says this is a fix for CVE-2022-0998 but if you apply it by itself it creates a serious security problem. Originally this bug only affected 32 bit systems but this patch will change it to affect everyone. You need to apply commit 3ed21c1451a1 ("vdpa: check that offsets are within bounds"). https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ed21c1451a14d139e1ceb18f2fa70865ce3195a I don't know if this affects anyone, but it seemed worth mentioning. regards, dan carpenter On Sat, Jan 22, 2022 at 07:12:12PM -0500, Sasha Levin wrote: > From: Laura Abbott <labbott@...nel.org> > > [ Upstream commit 870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0 ] > > The return type of get_config_size is size_t so it makes > sense to change the type of the variable holding its result. > > That said, this already got taken care of (differently, and arguably > not as well) by commit 3ed21c1451a1 ("vdpa: check that offsets are > within bounds"). > > The added 'c->off > size' test in that commit will be done as an > unsigned comparison on 32-bit (safe due to not being signed). > > On a 64-bit platform, it will be done as a signed comparison, but in > that case the comparison will be done in 64-bit, and 'c->off' being an > u32 it will be valid thanks to the extended range (ie both values will > be positive in 64 bits). > > So this was a real bug, but it was already addressed and marked for stable. > > Signed-off-by: Laura Abbott <labbott@...nel.org> > Reported-by: Luo Likang <luolikang@...ocus.com> > Signed-off-by: Michael S. Tsirkin <mst@...hat.com> > Signed-off-by: Sasha Levin <sashal@...nel.org> > --- > drivers/vhost/vdpa.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > index d62f05d056b7b..913cd465f9f1e 100644 > --- a/drivers/vhost/vdpa.c > +++ b/drivers/vhost/vdpa.c > @@ -195,7 +195,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v, > struct vhost_vdpa_config *c) > { > struct vdpa_device *vdpa = v->vdpa; > - long size = vdpa->config->get_config_size(vdpa); > + size_t size = vdpa->config->get_config_size(vdpa); > > if (c->len == 0 || c->off > size) > return -EINVAL; > -- > 2.34.1 > >
Powered by blists - more mailing lists