The mitre.org page
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0998
says this is a fix for CVE-2022-0998 but if you apply it by itself it creates a serious security problem. Originally this bug only affected 32 bit systems but this patch will change it to affect everyone.
You need to apply commit 3ed21c1451a1 ("vdpa: check that offsets are within bounds").
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
I don't know if this affects anyone, but it seemed worth mentioning.
regards, dan carpenter
On Sat, Jan 22, 2022 at 07:12:12PM -0500, Sasha Levin wrote:
From: Laura Abbott labbott@kernel.org
[ Upstream commit 870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0 ]
The return type of get_config_size is size_t so it makes sense to change the type of the variable holding its result.
That said, this already got taken care of (differently, and arguably not as well) by commit 3ed21c1451a1 ("vdpa: check that offsets are within bounds").
The added 'c->off > size' test in that commit will be done as an unsigned comparison on 32-bit (safe due to not being signed).
On a 64-bit platform, it will be done as a signed comparison, but in that case the comparison will be done in 64-bit, and 'c->off' being an u32 it will be valid thanks to the extended range (ie both values will be positive in 64 bits).
So this was a real bug, but it was already addressed and marked for stable.
Signed-off-by: Laura Abbott labbott@kernel.org Reported-by: Luo Likang luolikang@nsfocus.com Signed-off-by: Michael S. Tsirkin mst@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org
drivers/vhost/vdpa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c index d62f05d056b7b..913cd465f9f1e 100644 --- a/drivers/vhost/vdpa.c +++ b/drivers/vhost/vdpa.c @@ -195,7 +195,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v, struct vhost_vdpa_config *c) { struct vdpa_device *vdpa = v->vdpa;
- long size = vdpa->config->get_config_size(vdpa);
- size_t size = vdpa->config->get_config_size(vdpa);
if (c->len == 0 || c->off > size) return -EINVAL; -- 2.34.1