Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp536569rwe; Fri, 26 Aug 2022 09:24:29 -0700 (PDT) X-Google-Smtp-Source: AA6agR5Jw+c0Jr7ZlLKdc6AtScZaZufNNIq5ek5vXiGFA5lGI1DZdnT4LJQUvufkO1RyHBCxhqj9 X-Received: by 2002:a17:907:6818:b0:730:825d:7296 with SMTP id qz24-20020a170907681800b00730825d7296mr6123724ejc.21.1661531069578; Fri, 26 Aug 2022 09:24:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661531069; cv=none; d=google.com; s=arc-20160816; b=0MyH5XEgTxnxqMaCHAKFNubJk5U6oxJZTZIJE1ZzP0SKMsEMBX/MpDErDkFzV/Ke7U asuwRfWGrpOTmKr68biB3l7ABxOSrH33q/j1bKSSGHnVgMV7WyvbvUE+29U/KQ4Oi969 LOfpS2Ff2apMVatYXayhfmz+wd9f+hmsqM69iy0CEvvELy7UBxZzoTtyrkOY5c5DrQnK JHl7KWxUQuX5yelOpkvVOncu0oZUplApnIz1fFRZkmXujoqlFHWhA8Bl/4CBOdepw4Nx gQQQXP6OfBnUrTLqlV6vCEXUtzcqyukeMkQeu5O4uWKF+vnZ6X1/y8Lfz7LitEYO+6QG DuZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=lWsHL0asll7+sQVTnDDnQGqBJ+2RTdu1KghvmhpXusA=; b=oashMvbE6Z3/vgm31vCPeLOsa7jB+X96h37WSplSDJaO2Mr7S+cQa/KJ9U6q2S6a4d CIMIVPWjr+S2OE/rB/ZvxWNr61ZTIrDVDN83wlpQHP0zn1JLtbVaYPE9Vt3rf5FhCgCw mhFOs3yz0wSu1kg4usbbHVI+ORAyT47VyR94DzyVAm4la3YFFNxKHLeeqT4DAcUkwYSL 9kHqIthtoo7tsIxs5twQ2meiAYOBzsPPkBgmOVNEv0D0GI9qUJGEAJxopq2qH1J68QL0 WToijUhaZyQ8zW/JScxuJs8xBZI3WWbOws7c/cIR0E5Jx7sPpjmZrgVOZi9s7LCJQizo UYSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=BTdDasDi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s14-20020a056402520e00b0043bc19efc0bsi1924492edd.136.2022.08.26.09.24.03; Fri, 26 Aug 2022 09:24:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=BTdDasDi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245404AbiHZQQ0 (ORCPT + 99 others); Fri, 26 Aug 2022 12:16:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242917AbiHZQQY (ORCPT ); Fri, 26 Aug 2022 12:16:24 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBD66D87C4 for ; Fri, 26 Aug 2022 09:16:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661530582; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=lWsHL0asll7+sQVTnDDnQGqBJ+2RTdu1KghvmhpXusA=; b=BTdDasDixaWWD1mE8QuVQBDCidiLumeuudE5IZDJbZvUcSFSlaOtFioVIWBwNLeGATXjky RT5/Cjor+7oxUBQic4thy0kTLqIiJPNtmbfH+zoSQ0dRtkEc3IPN24ZvBf6Ni/U7Q0Yfwi LgCr7ElH83DU+EGqaoF47szDIvknXcU= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-212-ABkY2D5QMqKeGM1glY7z_A-1; Fri, 26 Aug 2022 12:16:11 -0400 X-MC-Unique: ABkY2D5QMqKeGM1glY7z_A-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6B8A5811E76; Fri, 26 Aug 2022 16:16:10 +0000 (UTC) Received: from max-t490s.redhat.com (unknown [10.39.208.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 219CCC15BBA; Fri, 26 Aug 2022 16:16:07 +0000 (UTC) From: Maxime Coquelin To: linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, elic@nvidia.com, guanjun@linux.alibaba.com, parav@nvidia.com, gautam.dawar@xilinx.com, dan.carpenter@oracle.com, xieyongji@bytedance.com, jasowang@redhat.com, mst@redhat.com Cc: Maxime Coquelin Subject: [PATCH] vduse: prevent uninitialized memory accesses Date: Fri, 26 Aug 2022 18:16:05 +0200 Message-Id: <20220826161605.559317-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If the VDUSE application provides a smaller config space than the driver expects, the driver may use uninitialized memory from the stack. This patch prevents it by initializing the buffer passed by the driver to store the config value. Signed-off-by: Maxime Coquelin --- drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index 41c0b29739f1..35dceee3ed56 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -673,10 +673,15 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset, { struct vduse_dev *dev = vdpa_to_vduse(vdpa); - if (offset > dev->config_size || - len > dev->config_size - offset) + /* Initialize the buffer in case of partial copy. */ + memset(buf, 0, len); + + if (offset > dev->config_size) return; + if (len > dev->config_size - offset) + len = dev->config_size - offset; + memcpy(buf, dev->config + offset, len); } -- 2.37.1