37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From: "Michael S. Tsirkin" <mst@redhat.com>
|
|
Date: Sat, 12 May 2018 00:33:10 +0300
|
|
Subject: vhost: fix info leak due to uninitialized memory
|
|
Origin: https://git.kernel.org/linus/670ae9caaca467ea1bfd325cb2a5c98ba87f94ad
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1118
|
|
|
|
struct vhost_msg within struct vhost_msg_node is copied to userspace.
|
|
Unfortunately it turns out on 64 bit systems vhost_msg has padding after
|
|
type which gcc doesn't initialize, leaking 4 uninitialized bytes to
|
|
userspace.
|
|
|
|
This padding also unfortunately means 32 bit users of this interface are
|
|
broken on a 64 bit kernel which will need to be fixed separately.
|
|
|
|
Fixes: CVE-2018-1118
|
|
Cc: stable@vger.kernel.org
|
|
Reported-by: Kevin Easton <kevin@guarana.org>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
---
|
|
drivers/vhost/vhost.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
--- a/drivers/vhost/vhost.c
|
|
+++ b/drivers/vhost/vhost.c
|
|
@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(str
|
|
struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
|
|
if (!node)
|
|
return NULL;
|
|
+
|
|
+ /* Make sure all padding within the structure is initialized. */
|
|
+ memset(&node->msg, 0, sizeof node->msg);
|
|
node->vq = vq;
|
|
node->msg.type = type;
|
|
return node;
|