From patchwork Thu Aug 16 09:02:36 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 958201
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41rgN40c87z9s3C;
	Thu, 16 Aug 2018 19:03:00 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1fqEBB-0002UM-ST; Thu, 16 Aug 2018 09:02:53 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <po-hsu.lin@canonical.com>)
	id 1fqEBA-0002Tz-DE
	for kernel-team@lists.ubuntu.com; Thu, 16 Aug 2018 09:02:52 +0000
Received: from mail-pg1-f200.google.com ([209.85.215.200])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1fqEBA-0005Ep-0l
	for kernel-team@lists.ubuntu.com; Thu, 16 Aug 2018 09:02:52 +0000
Received: by mail-pg1-f200.google.com with SMTP id u4-v6so1790746pgr.2
	for <kernel-team@lists.ubuntu.com>;
	Thu, 16 Aug 2018 02:02:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=mi8mpHYL3iKkXmYbmZpgCAAPcgIh2rs0b7fcWPU7Rg0=;
	b=sNxGy6pSdMywlL9/SZ9fgQ9+Cs7WmodNFJjrkjX806LlCG8mymuqC3efpbXG4th07v
	1w38FoeAU0b7yj2O4/gX6Uq43nilRcCroPY7T0u2fWelRaCP1GyfqI1DAEZyzPVHOTIh
	OC37JjPH+EX2KtymE78owTt/EB1wypwQ63aast1PwAI9ENXCSmxWXHV954vhJcTymGc+
	yLj5Kl5o3pgXNrADlo3sRv6R8OYago2g/0Jtpsd4MCJ/jSEuIeLFVoWb338Q43hUnTRn
	QHuD2wgYBidwhKeucg5iczXxeK4XIEhqbGBfsmTmKjVJmiGFd1cSE4+/cEphr1sQPdMh
	KvRA==
X-Gm-Message-State: AOUpUlH2YvkSsLmXVx+tYpBxGeZLWntAyn406OdcQbG3WveUYSSixMb+
	CaZUAp/et/yKBN/vmkrpqRxiWEav2P4xcsSRGiO9lTlnWhA2iq3DGpIAocEih2Di98qgnItL1CV
	RMlenmdYtEoKQ46ph+5LYHISfMzYDBbl3DUG29iRl
X-Received: by 2002:a63:2106:: with SMTP id
	h6-v6mr28101618pgh.161.1534410170563;
	Thu, 16 Aug 2018 02:02:50 -0700 (PDT)
X-Google-Smtp-Source: 
 AA+uWPzcALkdBWwJOK/lcU5x8VtegX2CnIlX6pFTvHLemRZ+3hZ8wsBTt/6/lnzzLWardu9aVeLYXQ==
X-Received: by 2002:a63:2106:: with SMTP id
	h6-v6mr28101609pgh.161.1534410170369;
	Thu, 16 Aug 2018 02:02:50 -0700 (PDT)
Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net.
	[61.220.137.37]) by smtp.gmail.com with ESMTPSA id
	9-v6sm48612912pfv.53.2018.08.16.02.02.49
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 16 Aug 2018 02:02:49 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [CVE-2018-1118][Bionic][SRU][PATCH 1/1] vhost: fix info leak due to
	uninitialized memory
Date: Thu, 16 Aug 2018 17:02:36 +0800
Message-Id: <20180816090236.14963-2-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180816090236.14963-1-po-hsu.lin@canonical.com>
References: <20180816090236.14963-1-po-hsu.lin@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2018-1118

struct vhost_msg within struct vhost_msg_node is copied to userspace.
Unfortunately it turns out on 64 bit systems vhost_msg has padding after
type which gcc doesn't initialize, leaking 4 uninitialized bytes to
userspace.

This padding also unfortunately means 32 bit users of this interface are
broken on a 64 bit kernel which will need to be fixed separately.

Fixes: CVE-2018-1118
Cc: stable@vger.kernel.org
Reported-by: Kevin Easton <kevin@guarana.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 drivers/vhost/vhost.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 31bdfd2..a922d3d 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2383,6 +2383,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
 	struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
 	if (!node)
 		return NULL;
+
+	/* Make sure all padding within the structure is initialized. */
+	memset(&node->msg, 0, sizeof node->msg);
 	node->vq = vq;
 	node->msg.type = type;
 	return node;