cve/published/2022/CVE-2022-49788.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49788: misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

 `struct vmci_event_qp` allocated by qp_notify_peer() contains padding,
 which may carry uninitialized data to the userspace, as observed by
 KMSAN:

   BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121
    instrument_copy_to_user ./include/linux/instrumented.h:121
    _copy_to_user+0x5f/0xb0 lib/usercopy.c:33
    copy_to_user ./include/linux/uaccess.h:169
    vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431
    vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925
    vfs_ioctl fs/ioctl.c:51
   ...

   Uninit was stored to memory at:
    kmemdup+0x74/0xb0 mm/util.c:131
    dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271
    vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339
    qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479
    qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
    qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
    vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940
    vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488
    vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927
   ...

   Local variable ev created at:
    qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456
    qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
    qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750

   Bytes 28-31 of 48 are uninitialized
   Memory access of size 48 starts at ffff888035155e00
   Data copied to user address 0000000020000100

 Use memset() to prevent the infoleaks.

 Also speculatively fix qp_notify_peer_local(), which may suffer from the
 same problem.

 The Linux kernel CVE team has assigned CVE-2022-49788 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 4.9.334 with commit 7ccf7229b96fadc3a185d1391f814a604c7ef609
 	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 4.14.300 with commit f04586c2315cfd03d72ad0395705435e7ed07b1a
 	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 4.19.267 with commit 5a275528025ae4bc7e2232866856dfebf84b2fad
 	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 5.4.225 with commit e7061dd1fef2dfb6458cd521aef27aa66f510d31
 	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 5.10.156 with commit 62634b43d3c4e1bf62fd540196f7081bf0885c0a
 	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 5.15.80 with commit 8e2f33c598370bcf828bab4d667d1d38bcd3c57d
 	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 6.0.10 with commit 76c50d77b928a33e5290aaa9fdc10e88254ff8c7
 	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 6.1 with commit e5b0d06d9b10f5f43101bd6598b076c347f9295f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49788
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/misc/vmw_vmci/vmci_queue_pair.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7ccf7229b96fadc3a185d1391f814a604c7ef609
 	https://git.kernel.org/stable/c/f04586c2315cfd03d72ad0395705435e7ed07b1a
 	https://git.kernel.org/stable/c/5a275528025ae4bc7e2232866856dfebf84b2fad
 	https://git.kernel.org/stable/c/e7061dd1fef2dfb6458cd521aef27aa66f510d31
 	https://git.kernel.org/stable/c/62634b43d3c4e1bf62fd540196f7081bf0885c0a
 	https://git.kernel.org/stable/c/8e2f33c598370bcf828bab4d667d1d38bcd3c57d
 	https://git.kernel.org/stable/c/76c50d77b928a33e5290aaa9fdc10e88254ff8c7
 	https://git.kernel.org/stable/c/e5b0d06d9b10f5f43101bd6598b076c347f9295f
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49788: misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

	`struct vmci_event_qp` allocated by qp_notify_peer() contains padding,
	which may carry uninitialized data to the userspace, as observed by
	KMSAN:

	BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121
	instrument_copy_to_user ./include/linux/instrumented.h:121
	_copy_to_user+0x5f/0xb0 lib/usercopy.c:33
	copy_to_user ./include/linux/uaccess.h:169
	vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431
	vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925
	vfs_ioctl fs/ioctl.c:51
	...

	Uninit was stored to memory at:
	kmemdup+0x74/0xb0 mm/util.c:131
	dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271
	vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339
	qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479
	qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
	qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
	vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940
	vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488
	vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927
	...

	Local variable ev created at:
	qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456
	qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
	qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750

	Bytes 28-31 of 48 are uninitialized
	Memory access of size 48 starts at ffff888035155e00
	Data copied to user address 0000000020000100

	Use memset() to prevent the infoleaks.

	Also speculatively fix qp_notify_peer_local(), which may suffer from the
	same problem.

	The Linux kernel CVE team has assigned CVE-2022-49788 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 4.9.334 with commit 7ccf7229b96fadc3a185d1391f814a604c7ef609
	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 4.14.300 with commit f04586c2315cfd03d72ad0395705435e7ed07b1a
	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 4.19.267 with commit 5a275528025ae4bc7e2232866856dfebf84b2fad
	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 5.4.225 with commit e7061dd1fef2dfb6458cd521aef27aa66f510d31
	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 5.10.156 with commit 62634b43d3c4e1bf62fd540196f7081bf0885c0a
	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 5.15.80 with commit 8e2f33c598370bcf828bab4d667d1d38bcd3c57d
	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 6.0.10 with commit 76c50d77b928a33e5290aaa9fdc10e88254ff8c7
	Issue introduced in 3.9 with commit 06164d2b72aa752ce4633184b3e0d97601017135 and fixed in 6.1 with commit e5b0d06d9b10f5f43101bd6598b076c347f9295f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49788
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/misc/vmw_vmci/vmci_queue_pair.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7ccf7229b96fadc3a185d1391f814a604c7ef609
	https://git.kernel.org/stable/c/f04586c2315cfd03d72ad0395705435e7ed07b1a
	https://git.kernel.org/stable/c/5a275528025ae4bc7e2232866856dfebf84b2fad
	https://git.kernel.org/stable/c/e7061dd1fef2dfb6458cd521aef27aa66f510d31
	https://git.kernel.org/stable/c/62634b43d3c4e1bf62fd540196f7081bf0885c0a
	https://git.kernel.org/stable/c/8e2f33c598370bcf828bab4d667d1d38bcd3c57d
	https://git.kernel.org/stable/c/76c50d77b928a33e5290aaa9fdc10e88254ff8c7
	https://git.kernel.org/stable/c/e5b0d06d9b10f5f43101bd6598b076c347f9295f