debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

vhost: fix info leak due to uninitialized memory (CVE-2018-1118)

This commit is contained in:
Ben Hutchings 2018-06-25 23:53:25 +01:00
parent 8b18affd7b
commit 43505297af
3 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@ -11,6 +11,7 @@ linux (4.17.2-1) UNRELEASED; urgency=medium
* [mips*] Increase RELOCATION_TABLE_SIZE to 0x00140000 (fixes FTBFS)
* Set ABI to 1
* [x86,arm64] Disable code signing for upload to unstable
* vhost: fix info leak due to uninitialized memory (CVE-2018-1118)
[ Romain Perier ]
* [x86] Enable DCN 1.0 Raven family (Closes #901349)

36
debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch vendored Normal file
View File

@ -0,0 +1,36 @@
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Sat, 12 May 2018 00:33:10 +0300
Subject: vhost: fix info leak due to uninitialized memory
Origin: https://git.kernel.org/linus/670ae9caaca467ea1bfd325cb2a5c98ba87f94ad
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1118
struct vhost_msg within struct vhost_msg_node is copied to userspace.
Unfortunately it turns out on 64 bit systems vhost_msg has padding after
type which gcc doesn't initialize, leaking 4 uninitialized bytes to
userspace.
This padding also unfortunately means 32 bit users of this interface are
broken on a 64 bit kernel which will need to be fixed separately.
Fixes: CVE-2018-1118
Cc: stable@vger.kernel.org
Reported-by: Kevin Easton <kevin@guarana.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
drivers/vhost/vhost.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(str
struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
if (!node)
return NULL;
+
+ /* Make sure all padding within the structure is initialized. */
+ memset(&node->msg, 0, sizeof node->msg);
node->vq = vq;
node->msg.type = type;
return node;

1
debian/patches/series vendored
View File

@ -125,6 +125,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch