Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 2 Apr 2022 06:57:49 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Sasha Levin <sashal@...nel.org>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Laura Abbott <labbott@...nel.org>, Luo Likang <luolikang@...ocus.com>,
        "Michael S . Tsirkin" <mst@...hat.com>, jasowang@...hat.com,
        kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org,
        netdev@...r.kernel.org, oss-security@...ts.openwall.com
Subject: Re: [PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret
 value handling

The mitre.org page

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0998

says this is a fix for CVE-2022-0998 but if you apply it by itself it
creates a serious security problem.  Originally this bug only affected
32 bit systems but this patch will change it to affect everyone.

You need to apply commit 3ed21c1451a1 ("vdpa: check that offsets are
within bounds").

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ed21c1451a14d139e1ceb18f2fa70865ce3195a

I don't know if this affects anyone, but it seemed worth mentioning.

regards,
dan carpenter

On Sat, Jan 22, 2022 at 07:12:12PM -0500, Sasha Levin wrote:
> From: Laura Abbott <labbott@...nel.org>
> 
> [ Upstream commit 870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0 ]
> 
> The return type of get_config_size is size_t so it makes
> sense to change the type of the variable holding its result.
> 
> That said, this already got taken care of (differently, and arguably
> not as well) by commit 3ed21c1451a1 ("vdpa: check that offsets are
> within bounds").
> 
> The added 'c->off > size' test in that commit will be done as an
> unsigned comparison on 32-bit (safe due to not being signed).
> 
> On a 64-bit platform, it will be done as a signed comparison, but in
> that case the comparison will be done in 64-bit, and 'c->off' being an
> u32 it will be valid thanks to the extended range (ie both values will
> be positive in 64 bits).
> 
> So this was a real bug, but it was already addressed and marked for stable.
> 
> Signed-off-by: Laura Abbott <labbott@...nel.org>
> Reported-by: Luo Likang <luolikang@...ocus.com>
> Signed-off-by: Michael S. Tsirkin <mst@...hat.com>
> Signed-off-by: Sasha Levin <sashal@...nel.org>
> ---
>  drivers/vhost/vdpa.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index d62f05d056b7b..913cd465f9f1e 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -195,7 +195,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v,
>  				      struct vhost_vdpa_config *c)
>  {
>  	struct vdpa_device *vdpa = v->vdpa;
> -	long size = vdpa->config->get_config_size(vdpa);
> +	size_t size = vdpa->config->get_config_size(vdpa);
>  
>  	if (c->len == 0 || c->off > size)
>  		return -EINVAL;
> -- 
> 2.34.1
> 
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.