cve/published/2024/CVE-2024-35944.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35944: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

 Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.

 memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
 at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)

 WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
 dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237

 Some code commentry, based on my understanding:

 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
 /// This is 24 + payload_size

 memcpy(&dg_info->msg, dg, dg_size);
 	Destination = dg_info->msg ---> this is a 24 byte
 					structure(struct vmci_datagram)
 	Source = dg --> this is a 24 byte structure (struct vmci_datagram)
 	Size = dg_size = 24 + payload_size

 {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.

  35 struct delayed_datagram_info {
  36         struct datagram_entry *entry;
  37         struct work_struct work;
  38         bool in_dg_host_queue;
  39         /* msg and msg_payload must be together. */
  40         struct vmci_datagram msg;
  41         u8 msg_payload[];
  42 };

 So those extra bytes of payload are copied into msg_payload[], a run time
 warning is seen while fuzzing with Syzkaller.

 One possible way to fix the warning is to split the memcpy() into
 two parts -- one -- direct assignment of msg and second taking care of payload.

 Gustavo quoted:
 "Under FORTIFY_SOURCE we should not copy data across multiple members
 in a structure."

 The Linux kernel CVE team has assigned CVE-2024-35944 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.312 with commit e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
 	Fixed in 5.4.274 with commit f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
 	Fixed in 5.10.215 with commit ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
 	Fixed in 5.15.155 with commit 130b0cd064874e0d0f58e18fb00e6f3993e90c74
 	Fixed in 6.1.86 with commit feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
 	Fixed in 6.6.27 with commit dae70a57565686f16089737adb8ac64471570f73
 	Fixed in 6.8.6 with commit 491a1eb07c2bd8841d63cb5263455e185be5866f
 	Fixed in 6.9 with commit 19b070fefd0d024af3daa7329cbc0d00de5302ec

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35944
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/misc/vmw_vmci/vmci_datagram.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
 	https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
 	https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
 	https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74
 	https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
 	https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73
 	https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f
 	https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35944: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

	Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.

	memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
	at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)

	WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
	dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237

	Some code commentry, based on my understanding:

	544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
	/// This is 24 + payload_size

	memcpy(&dg_info->msg, dg, dg_size);
	Destination = dg_info->msg ---> this is a 24 byte
	structure(struct vmci_datagram)
	Source = dg --> this is a 24 byte structure (struct vmci_datagram)
	Size = dg_size = 24 + payload_size

	{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.

	35 struct delayed_datagram_info {
	36 struct datagram_entry *entry;
	37 struct work_struct work;
	38 bool in_dg_host_queue;
	39 /* msg and msg_payload must be together. */
	40 struct vmci_datagram msg;
	41 u8 msg_payload[];
	42 };

	So those extra bytes of payload are copied into msg_payload[], a run time
	warning is seen while fuzzing with Syzkaller.

	One possible way to fix the warning is to split the memcpy() into
	two parts -- one -- direct assignment of msg and second taking care of payload.

	Gustavo quoted:
	"Under FORTIFY_SOURCE we should not copy data across multiple members
	in a structure."

	The Linux kernel CVE team has assigned CVE-2024-35944 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.312 with commit e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
	Fixed in 5.4.274 with commit f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
	Fixed in 5.10.215 with commit ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
	Fixed in 5.15.155 with commit 130b0cd064874e0d0f58e18fb00e6f3993e90c74
	Fixed in 6.1.86 with commit feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
	Fixed in 6.6.27 with commit dae70a57565686f16089737adb8ac64471570f73
	Fixed in 6.8.6 with commit 491a1eb07c2bd8841d63cb5263455e185be5866f
	Fixed in 6.9 with commit 19b070fefd0d024af3daa7329cbc0d00de5302ec

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35944
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/misc/vmw_vmci/vmci_datagram.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051
	https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b
	https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100
	https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74
	https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75
	https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73
	https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f
	https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec