| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52c76446-117d-4953-9b33-32199f782b90@gmail.com>
Date: Sat, 27 Sep 2025 15:21:37 +0100
From: "Colin King (gmail)" <colin.i.king@...il.com>
To: Eugenio Pérez <eperezma@...hat.com>,
"Michael S. Tsirkin" <mst@...hat.com>, Jason Wang <jasowang@...hat.com>,
virtualization@...ts.linux.dev, kvm@...r.kernel.org,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: re: vduse: add vq group support
Hi,
Static analysis on linux-next has found an issue with the following commit:
commit ffc3634b66967445f3368c3b53a42bccc52b2c7f
Author: Eugenio Pérez <eperezma@...hat.com>
Date: Thu Sep 25 11:13:32 2025 +0200
vduse: add vq group support
This issue is as follows in function vhost_vdpa_vring_ioct:
case VHOST_VDPA_GET_VRING_GROUP: {
u64 group;
if (!ops->get_vq_group)
return -EOPNOTSUPP;
s.index = idx;
group = ops->get_vq_group(vdpa, idx);
if (group >= vdpa->ngroups || group > U32_MAX || group < 0)
return -EIO;
else if (copy_to_user(argp, &s, sizeof(s)))
return -EFAULT;
s.num = group;
return 0;
}
The copy_to_user of struct s is copying a partially initialized struct
s, field s.num contains garbage data from the stack and this is being
copied back to user space. Field s.num should be assigned some value
before the copy_to_user call to avoid uninitialized data from the stack
being leaked to user space.
Colin
Download attachment "OpenPGP_0x68C287DFC6A80226.asc" of type "application/pgp-keys" (4825 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists