Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3855267imm; Tue, 29 May 2018 15:20:43 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL1Id0b/faoFi07KG4pP9CmyUsGGMGtc6OXrTs9VO5+yvCylw0FDcbrmPlh6OqBXfdwLNyg X-Received: by 2002:a62:dc98:: with SMTP id c24-v6mr200198pfl.183.1527632443771; Tue, 29 May 2018 15:20:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527632443; cv=none; d=google.com; s=arc-20160816; b=nlJra74epGQwbey+17Sqpo3B5LBdJhvGY33BA0It+gPXdCqnryWzBFoGcpQdUjImRI vPYEsUTvb6ggJt7MzVyqGGLhdq+bWAnMacq0WU/dZiGW9LtskBkIT2I4t2gIz/KrtU+2 VgIUN63CsSn3jywb4s4sbDbSld2RQw8gDkOe/r7An+1RMy4JSYQcYbd3T8CCp8FytJNP L48GulVBpobr1YyQTrDTn62ZGCHOAA+05/bgYuON7jI8B6zjuRc3CozPQchmlTeI5uUQ 3kBjHCpmLYeobA07WeDf/lKhBwpSOZ0OdSTPc4nNiV5wQgyezZ9/O2lUiEZaZP/pYRBS zhnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=uVyoercYQaW3N5X8i+Tin9EfrsnRF4mBHt+c8GjeOes=; b=oll5fACk7S+P8dBxSnhhEoXHBhN/PljfPxaX3Jc6Vy76aOPvsaaFt45eJUvy1QrvMm UM/f+OW0dszuWvnRmmKYmI2iZRrk/7OGrLi/0bbyku6rPvWbP/z8OzCOP4fO6ro95wGD PP7oLa8T+4OycFSP8SKb8WlZ4y6TTQBgIsrpXnBzy4PSLji0dn/ZUeMsAQSTV7IJ2vpy 61cEZOHrEs4yrNJzcrSp90T0fmK2LuiimYvyPjFs1IFI9BGbuWjf86kyJ5B6t+JCmkGF QIesAUSKrRYpgRzZM3kWQmJQJvWgOfISRfSjYVzbAeRS99g0R4vS+/UOYVBrmQ/3h+nL tBEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@roeck-us.net header.s=default header.b=1QgGhv8g; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x3-v6si16823952plr.307.2018.05.29.15.20.30; Tue, 29 May 2018 15:20:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@roeck-us.net header.s=default header.b=1QgGhv8g; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S968378AbeE2WTQ (ORCPT + 99 others); Tue, 29 May 2018 18:19:16 -0400 Received: from bh-25.webhostbox.net ([208.91.199.152]:47203 "EHLO bh-25.webhostbox.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S967747AbeE2WTL (ORCPT ); Tue, 29 May 2018 18:19:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=roeck-us.net; s=default; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uVyoercYQaW3N5X8i+Tin9EfrsnRF4mBHt+c8GjeOes=; b=1QgGhv8gfY4FEcslqKfX/ChvvD u8EodlIjeF3xUVcIUyWq5PjjYTxuzrTHhU6264YjIgZFFNoJhkJLwRpQKEU+ZmacHgcE6eXsUFeTU lw5BBhs7zJmp0jEHBzH4circ7nPzGn2n5J/CtS4QRo9j32NusVSGtse3YR0aLx6MpMgJ37D60sq5/ d/0XWFgWHUVuqkwKlB73hpJfwHY9W13SYpTfrU1OWzc5pK+ElMpHyoRnVi2pJvQo0tO+MTZUt+bsT fsk7hmpGOu6Na50E5/1qLfXTU/4NFFxIwXbSQsmnMj4Kp8stXLpKq+Jf+MtlSPFMObICPOwYWsAfV WQ5xDv/A==; Received: from 108-223-40-66.lightspeed.sntcca.sbcglobal.net ([108.223.40.66]:37436 helo=localhost) by bh-25.webhostbox.net with esmtpa (Exim 4.89) (envelope-from ) id 1fNmxQ-001QUD-UN; Tue, 29 May 2018 22:19:10 +0000 Date: Tue, 29 May 2018 15:19:08 -0700 From: Guenter Roeck To: Kevin Easton Cc: "Michael S. Tsirkin" , Jason Wang , kvm@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [net] vhost: Use kzalloc() to allocate vhost_msg_node Message-ID: <20180529221908.GA22742@roeck-us.net> References: <20180427154502.GA22544@la.guarana.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180427154502.GA22544@la.guarana.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Authenticated_sender: guenter@roeck-us.net X-OutGoing-Spam-Status: No, score=-1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - bh-25.webhostbox.net X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - roeck-us.net X-Get-Message-Sender-Via: bh-25.webhostbox.net: authenticated_id: guenter@roeck-us.net X-Authenticated-Sender: bh-25.webhostbox.net: guenter@roeck-us.net X-Source: X-Source-Args: X-Source-Dir: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton > Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com Is this patch going anywhere ? The patch fixes CVE-2018-1118. It would be useful to understand if and when this problem is going to be fixed. Thanks, Guenter > --- > drivers/vhost/vhost.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index f3bd8e9..1b84dcff 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -2339,7 +2339,7 @@ EXPORT_SYMBOL_GPL(vhost_disable_notify); > /* Create a new message. */ > struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > { > - struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); > + struct vhost_msg_node *node = kzalloc(sizeof *node, GFP_KERNEL); > if (!node) > return NULL; > node->vq = vq;