| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJaqyWc58wnym96C79E-tG6yBvem5skE3M3vdzBxMYX0aNJVLQ@mail.gmail.com>
Date: Mon, 29 Sep 2025 08:07:03 +0200
From: Eugenio Perez Martin <eperezma@...hat.com>
To: "Colin King (gmail)" <colin.i.king@...il.com>
Cc: "Michael S. Tsirkin" <mst@...hat.com>, Jason Wang <jasowang@...hat.com>, virtualization@...ts.linux.dev,
kvm@...r.kernel.org, "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: vduse: add vq group support
On Sat, Sep 27, 2025 at 4:22 PM Colin King (gmail)
<colin.i.king@...il.com> wrote:
>
> Hi,
>
> Static analysis on linux-next has found an issue with the following commit:
>
> commit ffc3634b66967445f3368c3b53a42bccc52b2c7f
> Author: Eugenio Pérez <eperezma@...hat.com>
> Date: Thu Sep 25 11:13:32 2025 +0200
>
> vduse: add vq group support
>
>
> This issue is as follows in function vhost_vdpa_vring_ioct:
>
> case VHOST_VDPA_GET_VRING_GROUP: {
> u64 group;
>
> if (!ops->get_vq_group)
> return -EOPNOTSUPP;
> s.index = idx;
> group = ops->get_vq_group(vdpa, idx);
> if (group >= vdpa->ngroups || group > U32_MAX || group < 0)
> return -EIO;
> else if (copy_to_user(argp, &s, sizeof(s)))
> return -EFAULT;
> s.num = group;
> return 0;
> }
>
>
> The copy_to_user of struct s is copying a partially initialized struct
> s, field s.num contains garbage data from the stack and this is being
> copied back to user space. Field s.num should be assigned some value
> before the copy_to_user call to avoid uninitialized data from the stack
> being leaked to user space.
>
That's right! v5 of the patch fixes the issue.
Thanks!
Powered by blists - more mailing lists