Bug 1202573 – VUL-0: CVE-2022-2308: kernel-source-azure,kernel-source,kernel-source-rt: undefined behavior or data leak in Virtio drivers with VDUSE

Bug 1202573 - (CVE-2022-2308) VUL-0: CVE-2022-2308: kernel-source-azure,kernel-source,kernel-source-rt: undefined behavior or data leak in Virtio drivers with VDUSE

(CVE-2022-2308)
Summary:	VUL-0: CVE-2022-2308: kernel-source-azure,kernel-source,kernel-source-rt: und...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Takashi Iwai
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/340315/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-08-19 14:38 UTC by Hu
Modified:	2022-09-26 08:57 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hu 2022-08-19 14:38:22 UTC

rh#2103900

A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2103900
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2308

Comment 1 Hu 2022-08-19 15:03:21 UTC

There is not much more information unfortunately.

The vduse backend is only in stable but there it is missing the last two commits
from here: https://github.com/torvalds/linux/commits/ad146355bfad627bd0717ece73997c6c93b1b82e/drivers/vdpa/vdpa_user/vduse_dev.c

I am not 100% sure if these are the fixing commits. What do you think?

Comment 2 Takashi Iwai 2022-08-19 15:56:50 UTC

I don't think the fix is applied in the upstream.

Maybe something like below was considered?

--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -674,8 +674,10 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset,
 	struct vduse_dev *dev = vdpa_to_vduse(vdpa);
 
 	if (offset > dev->config_size ||
-	    len > dev->config_size - offset)
+	    len > dev->config_size - offset) {
+		memset(buf, 0, len);
 		return;
+	}
 
 	memcpy(buf, dev->config + offset, len);
 }

Comment 3 Takashi Iwai 2022-08-22 11:46:05 UTC

Can we get more details about the bug itself?  Without knowing the problem itself, it can't be fixed at all.

Comment 4 Hu 2022-08-29 11:04:10 UTC

Someone asked at rh and they replied that the fix is not upstream yet.

Comment 5 Karasulli 2022-09-01 12:51:22 UTC

Fix doesn't seem to be applied upstream yet.

Reassigning to a concrete person to ensure progress [1] (feel free to pass to next one), see also the process at [2].
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security

Comment 6 Takashi Iwai 2022-09-05 15:50:03 UTC

The upstream submission (v3):
  https://lore.kernel.org/r/20220831154923.97809-1-maxime.coquelin@redhat.com

Comment 7 Takashi Iwai 2022-09-06 12:44:55 UTC

The fix is pushed to my stable/for-next branch.

Comment 8 Jiri Slaby 2022-09-26 08:57:21 UTC

FYI: no indication of when this will be merged upstream, I pushed to master too. (As 6.0-final is approaching.)