-

CVE-2023-54137

vfio/type1: fix cap_migration information leak

In the Linux kernel, the following vulnerability has been resolved:

vfio/type1: fix cap_migration information leak

Fix an information leak where an uninitialized hole in struct
vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.

The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as
shown in this pahole(1) output:

  struct vfio_iommu_type1_info_cap_migration {
          struct vfio_info_cap_header header;              /*     0     8 */
          __u32                      flags;                /*     8     4 */

          /* XXX 4 bytes hole, try to pack */

          __u64                      pgsize_bitmap;        /*    16     8 */
          __u64                      max_dirty_bitmap_size; /*    24     8 */

          /* size: 32, cachelines: 1, members: 4 */
          /* sum members: 28, holes: 1, sum holes: 4 */
          /* last cacheline: 32 bytes */
  };

The cap_mig variable is filled in without initializing the hole:

  static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,
                         struct vfio_info_cap *caps)
  {
      struct vfio_iommu_type1_info_cap_migration cap_mig;

      cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;
      cap_mig.header.version = 1;

      cap_mig.flags = 0;
      /* support minimum pgsize */
      cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);
      cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;

      return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));
  }

The structure is then copied to a temporary location on the heap. At this point
it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace
later:

  int vfio_info_add_capability(struct vfio_info_cap *caps,
                   struct vfio_info_cap_header *cap, size_t size)
  {
      struct vfio_info_cap_header *header;

      header = vfio_info_cap_add(caps, size, cap->id, cap->version);
      if (IS_ERR(header))
          return PTR_ERR(header);

      memcpy(header + 1, cap + 1, size - sizeof(*header));

      return 0;
  }

This issue was found by code inspection.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version ad721705d09c62f0d108a6b4f59867ebfd592c90
Version < ad83d83dd891244de0d07678b257dc976db7c132
Status affected
Version ad721705d09c62f0d108a6b4f59867ebfd592c90
Version < 13fd667db999bffb557c5de7adb3c14f1713dd51
Status affected
Version ad721705d09c62f0d108a6b4f59867ebfd592c90
Version < f6f300ecc196d243c02adeb9ee0c62c677c24bfb
Status affected
Version ad721705d09c62f0d108a6b4f59867ebfd592c90
Version < cbac29a1caa49a34e131394e1f4d924a76d8b0c9
Status affected
Version ad721705d09c62f0d108a6b4f59867ebfd592c90
Version < 1b5feb8497cdb5b9962db2700814bffbc030fb4a
Status affected
Version ad721705d09c62f0d108a6b4f59867ebfd592c90
Version < cd24e2a60af633f157d7e59c0a6dba64f131c0b1
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.8
Status affected
Version 0
Version < 5.8
Status unaffected
Version <= 5.10.*
Version 5.10.195
Status unaffected
Version <= 5.15.*
Version 5.15.132
Status unaffected
Version <= 6.1.*
Version 6.1.53
Status unaffected
Version <= 6.4.*
Version 6.4.16
Status unaffected
Version <= 6.5.*
Version 6.5.3
Status unaffected
Version <= *
Version 6.6
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.05% 0.144
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.