diff --git a/patches.suse/vduse-prevent-uninitialized-memory-accesses.patch b/patches.suse/vduse-prevent-uninitialized-memory-accesses.patch new file mode 100644 index 0000000..f1447a4 --- /dev/null +++ b/patches.suse/vduse-prevent-uninitialized-memory-accesses.patch @@ -0,0 +1,47 @@ +From: Maxime Coquelin +Date: Wed, 31 Aug 2022 17:49:23 +0200 +Subject: [PATCH] vduse: prevent uninitialized memory accesses +Message-Id: <20220831154923.97809-1-maxime.coquelin@redhat.com> +Patch-mainline: Submitted, virtualization ML +References: CVE-2022-2308 bsc#1202573 + +If the VDUSE application provides a smaller config space +than the driver expects, the driver may use uninitialized +memory from the stack. + +This patch prevents it by initializing the buffer passed by +the driver to store the config value. + +This fix addresses CVE-2022-2308. + +Cc: stable@vger.kernel.org # v5.15+ +Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") +Reviewed-by: Xie Yongji +Acked-by: Jason Wang +Signed-off-by: Maxime Coquelin +Signed-off-by: Takashi Iwai + +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -673,10 +673,15 @@ + { + struct vduse_dev *dev = vdpa_to_vduse(vdpa); + +- if (offset > dev->config_size || +- len > dev->config_size - offset) ++ /* Initialize the buffer in case of partial copy. */ ++ memset(buf, 0, len); ++ ++ if (offset > dev->config_size) + return; + ++ if (len > dev->config_size - offset) ++ len = dev->config_size - offset; ++ + memcpy(buf, dev->config + offset, len); + } + diff --git a/series.conf b/series.conf index 8adf0de..bcd9481 100644 --- a/series.conf +++ b/series.conf @@ -71,6 +71,7 @@ # to area specific sections below. ######################################################## patches.suse/watchdog-wdat_wdt-fix-min-max-timer-value.patch + patches.suse/vduse-prevent-uninitialized-memory-accesses.patch ######################################################## # kbuild/module infrastructure fixes