Sasha Levin
2022-Jan-23 00:12 UTC
[PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret value handling
From: Laura Abbott <labbott at kernel.org> [ Upstream commit 870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0 ] The return type of get_config_size is size_t so it makes sense to change the type of the variable holding its result. That said, this already got taken care of (differently, and arguably not as well) by commit 3ed21c1451a1 ("vdpa: check that offsets are within bounds"). The added 'c->off > size' test in that commit will be done as an unsigned comparison on 32-bit (safe due to not being signed). On a 64-bit platform, it will be done as a signed comparison, but in that case the comparison will be done in 64-bit, and 'c->off' being an u32 it will be valid thanks to the extended range (ie both values will be positive in 64 bits). So this was a real bug, but it was already addressed and marked for stable. Signed-off-by: Laura Abbott <labbott at kernel.org> Reported-by: Luo Likang <luolikang at nsfocus.com> Signed-off-by: Michael S. Tsirkin <mst at redhat.com> Signed-off-by: Sasha Levin <sashal at kernel.org> --- drivers/vhost/vdpa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c index d62f05d056b7b..913cd465f9f1e 100644 --- a/drivers/vhost/vdpa.c +++ b/drivers/vhost/vdpa.c @@ -195,7 +195,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v, struct vhost_vdpa_config *c) { struct vdpa_device *vdpa = v->vdpa; - long size = vdpa->config->get_config_size(vdpa); + size_t size = vdpa->config->get_config_size(vdpa); if (c->len == 0 || c->off > size) return -EINVAL; -- 2.34.1
Dan Carpenter
2022-Apr-02 03:57 UTC
[PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret value handling
The mitre.org page https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0998 says this is a fix for CVE-2022-0998 but if you apply it by itself it creates a serious security problem. Originally this bug only affected 32 bit systems but this patch will change it to affect everyone. You need to apply commit 3ed21c1451a1 ("vdpa: check that offsets are within bounds"). https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ed21c1451a14d139e1ceb18f2fa70865ce3195a I don't know if this affects anyone, but it seemed worth mentioning. regards, dan carpenter On Sat, Jan 22, 2022 at 07:12:12PM -0500, Sasha Levin wrote:> From: Laura Abbott <labbott at kernel.org> > > [ Upstream commit 870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0 ] > > The return type of get_config_size is size_t so it makes > sense to change the type of the variable holding its result. > > That said, this already got taken care of (differently, and arguably > not as well) by commit 3ed21c1451a1 ("vdpa: check that offsets are > within bounds"). > > The added 'c->off > size' test in that commit will be done as an > unsigned comparison on 32-bit (safe due to not being signed). > > On a 64-bit platform, it will be done as a signed comparison, but in > that case the comparison will be done in 64-bit, and 'c->off' being an > u32 it will be valid thanks to the extended range (ie both values will > be positive in 64 bits). > > So this was a real bug, but it was already addressed and marked for stable. > > Signed-off-by: Laura Abbott <labbott at kernel.org> > Reported-by: Luo Likang <luolikang at nsfocus.com> > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > Signed-off-by: Sasha Levin <sashal at kernel.org> > --- > drivers/vhost/vdpa.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > index d62f05d056b7b..913cd465f9f1e 100644 > --- a/drivers/vhost/vdpa.c > +++ b/drivers/vhost/vdpa.c > @@ -195,7 +195,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v, > struct vhost_vdpa_config *c) > { > struct vdpa_device *vdpa = v->vdpa; > - long size = vdpa->config->get_config_size(vdpa); > + size_t size = vdpa->config->get_config_size(vdpa); > > if (c->len == 0 || c->off > size) > return -EINVAL; > -- > 2.34.1 > >