Re: [PATCH v2] vduse: prevent uninitialized memory accesses

On Mon, Aug 29, 2022 at 3:34 PM Maxime Coquelin maxime.coquelin@redhat.com wrote:

If the VDUSE application provides a smaller config space than the driver expects, the driver may use uninitialized memory from the stack.

This patch prevents it by initializing the buffer passed by the driver to store the config value.

This fix addresses CVE-2022-2308.

Cc: xieyongji@bytedance.com Cc: stable@vger.kernel.org # v5.15+ Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")

Acked-by: Jason Wang jasowang@redhat.com Signed-off-by: Maxime Coquelin maxime.coquelin@redhat.com

Reviewed-by: Xie Yongji xieyongji@bytedance.com

Thanks, Yongji