diff mbox series

[CVE-2018-1118,Bionic,SRU,1/1] vhost: fix info leak due to uninitialized memory

Message ID 20180816090236.14963-2-po-hsu.lin@canonical.com
State New
Headers show
Series Fix for CVE-2018-1118 | expand

Commit Message

Po-Hsu Lin Aug. 16, 2018, 9:02 a.m. UTC 
From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2018-1118

struct vhost_msg within struct vhost_msg_node is copied to userspace.
Unfortunately it turns out on 64 bit systems vhost_msg has padding after
type which gcc doesn't initialize, leaking 4 uninitialized bytes to
userspace.

This padding also unfortunately means 32 bit users of this interface are
broken on a 64 bit kernel which will need to be fixed separately.

Fixes: CVE-2018-1118
Cc: stable@vger.kernel.org
Reported-by: Kevin Easton <kevin@guarana.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 drivers/vhost/vhost.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 31bdfd2..a922d3d 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2383,6 +2383,9 @@  struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
 	struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
 	if (!node)
 		return NULL;
+
+	/* Make sure all padding within the structure is initialized. */
+	memset(&node->msg, 0, sizeof node->msg);
 	node->vq = vq;
 	node->msg.type = type;
 	return node;