Bug 1197247 - (CVE-2022-0998) VUL-0: CVE-2022-0998: kernel-source-azure,kernel-source,kernel-source-rt: kernel: an integer overflow in the vhost_vdpa_config_validate() can lead to out-of-bounds access on top of a 32-bit Linux kernel
(CVE-2022-0998)
VUL-0: CVE-2022-0998: kernel-source-azure,kernel-source,kernel-source-rt: ker...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/326509/
CVSSv3.1:SUSE:CVE-2022-0998:7.0:(AV:L...
:
Depends on:
Blocks: 1197338
  Show dependency treegraph
 
Reported: 2022-03-17 15:59 UTC by Alexander Bergmann
Modified: 2022-08-01 08:32 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-03-17 15:59:21 UTC
rh#2057506

An out of bounds (OOB) memory access flaw was found in the Linux Kernel's guest virtio device driver code (if this code enabled with the CONFIG_VHOST_VDPA kernel config parameter).
An integer overflow in the vhost_vdpa_config_validate function can lead to out-of-bounds access on top of a 32-bit linux kernel.

Reference:
https://lore.kernel.org/netdev/20220123001216.2460383-13-sashal@kernel.org/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2057506
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0998
Comment 1 Takashi Iwai 2022-03-17 16:19:52 UTC
As the problem is only on 32bit, basically only TW (i386, armv7hl) and Leap 15.x (armv7hl) are affected.  The actual fix (commit 3ed21c1451a1) is already in 5.16, so TW is fine.  And SLE15-SP4 already has the fix via git-fixes.
Comment 2 Takashi Iwai 2022-03-17 16:25:27 UTC
... and vdpa driver doesn't exist on SLE15-SP3, so only SLE15-SP4.

I backported the given commit (which is rather a cleanup) and updated the patch reference on SLE15-SP4 branch now.

Reassigned back to security team.
Comment 4 Gianluca Gabrielli 2022-04-04 09:43:13 UTC
Someone from Oracle, reported the following in the OSSS ML:

> The mitre.org page
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0998
> 
> says this is a fix for CVE-2022-0998 but if you apply it by itself it
> creates a serious security problem.  Originally this bug only affected
> 32 bit systems but this patch will change it to affect everyone.
> 
> You need to apply commit 3ed21c1451a1 ("vdpa: check that offsets are
> within bounds").
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ed21c1451a14d139e1ceb18f2fa70865ce3195a
> 
> I don't know if this affects anyone, but it seemed worth mentioning.
> 
> regards,
> dan carpenter

@Takashi: could you please double-check it?
Comment 5 Takashi Iwai 2022-04-04 12:00:21 UTC
The description in CVE was pretty misleading, yes, and we have already done in the right way.  The crucial fix, the commit 3ed21c1451a1, was already in SLE15-SP4-GA.

Meanwhile the commit 870aaff92e95 is a "cleanup" patch, which doesn't change the actual behavior.  And this is found in SLE15-SP4 branch.

For avoiding the confusion, I'm going to mark the former patch (3ed21c1451a1) with the CVE number for avoiding the confusion, and also take the latter cleanup fix (870aaff92e95) into SLE15-SP4-GA.
Comment 8 Gabriele Sonnu 2022-04-07 09:40:14 UTC
Closing.