Bug 1202573 - (CVE-2022-2308) VUL-0: CVE-2022-2308: kernel-source-azure,kernel-source,kernel-source-rt: undefined behavior or data leak in Virtio drivers with VDUSE
VUL-0: CVE-2022-2308: kernel-source-azure,kernel-source,kernel-source-rt: und...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Takashi Iwai
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-08-19 14:38 UTC by Hu
Modified: 2022-09-26 08:57 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-08-19 14:38:22 UTC

A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.

Comment 1 Hu 2022-08-19 15:03:21 UTC
There is not much more information unfortunately.

The vduse backend is only in stable but there it is missing the last two commits
from here: https://github.com/torvalds/linux/commits/ad146355bfad627bd0717ece73997c6c93b1b82e/drivers/vdpa/vdpa_user/vduse_dev.c

I am not 100% sure if these are the fixing commits. What do you think?
Comment 2 Takashi Iwai 2022-08-19 15:56:50 UTC
I don't think the fix is applied in the upstream.

Maybe something like below was considered?

--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -674,8 +674,10 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset,
 	struct vduse_dev *dev = vdpa_to_vduse(vdpa);
 	if (offset > dev->config_size ||
-	    len > dev->config_size - offset)
+	    len > dev->config_size - offset) {
+		memset(buf, 0, len);
+	}
 	memcpy(buf, dev->config + offset, len);
Comment 3 Takashi Iwai 2022-08-22 11:46:05 UTC
Can we get more details about the bug itself?  Without knowing the problem itself, it can't be fixed at all.
Comment 4 Hu 2022-08-29 11:04:10 UTC
Someone asked at rh and they replied that the fix is not upstream yet.
Comment 5 Karasulli 2022-09-01 12:51:22 UTC
Fix doesn't seem to be applied upstream yet.

Reassigning to a concrete person to ensure progress [1] (feel free to pass to next one), see also the process at [2].
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security
Comment 6 Takashi Iwai 2022-09-05 15:50:03 UTC
The upstream submission (v3):
Comment 7 Takashi Iwai 2022-09-06 12:44:55 UTC
The fix is pushed to my stable/for-next branch.
Comment 8 Jiri Slaby 2022-09-26 08:57:21 UTC
FYI: no indication of when this will be merged upstream, I pushed to master too. (As 6.0-final is approaching.)