diff --git a/patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch b/patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch new file mode 100644 index 0000000..a627235 --- /dev/null +++ b/patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 16 Aug 2018 17:02:36 +0800 +Subject: [PATCH] vhost: fix info leak due to uninitialized memory + +CVE-2018-1118 + +struct vhost_msg within struct vhost_msg_node is copied to userspace. +Unfortunately it turns out on 64 bit systems vhost_msg has padding after +type which gcc doesn't initialize, leaking 4 uninitialized bytes to +userspace. + +This padding also unfortunately means 32 bit users of this interface are +broken on a 64 bit kernel which will need to be fixed separately. + +Fixes: CVE-2018-1118 +Cc: stable@vger.kernel.org +Reported-by: Kevin Easton +Signed-off-by: Michael S. Tsirkin +Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad) +Signed-off-by: Po-Hsu Lin +Acked-by: Khalid Elmously +Acked-by: Kamal Mostafa +Signed-off-by: Khalid Elmously +Signed-off-by: Stoiko Ivanov +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 31bdfd296ced..a922d3d28a20 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2383,6 +2383,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) + struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); + if (!node) + return NULL; ++ ++ /* Make sure all padding within the structure is initialized. */ ++ memset(&node->msg, 0, sizeof node->msg); + node->vq = vq; + node->msg.type = type; + return node;