CVE-2023-54137

Summary

In the Linux kernel, the following vulnerability has been resolved:

vfio/type1: fix cap_migration information leak

Fix an information leak where an uninitialized hole in struct vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.

The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as shown in this pahole(1) output:

struct vfio_iommu_type1_info_cap_migration { struct vfio_info_cap_header header; /* 0 8 / __u32 flags; / 8 4 */

      /* XXX 4 bytes hole, try to pack */

      __u64                      pgsize_bitmap;        /*    16     8 */
      __u64                      max_dirty_bitmap_size; /*    24     8 */

      /* size: 32, cachelines: 1, members: 4 */
      /* sum members: 28, holes: 1, sum holes: 4 */
      /* last cacheline: 32 bytes */

};

The cap_mig variable is filled in without initializing the hole:

static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, struct vfio_info_cap *caps) { struct vfio_iommu_type1_info_cap_migration cap_mig;

  cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;
  cap_mig.header.version = 1;

  cap_mig.flags = 0;
  /* support minimum pgsize */
  cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);
  cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;

  return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));

}

The structure is then copied to a temporary location on the heap. At this point it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace later:

int vfio_info_add_capability(struct vfio_info_cap *caps, struct vfio_info_cap_header *cap, size_t size) { struct vfio_info_cap_header *header;

  header = vfio_info_cap_add(caps, size, cap->id, cap->version);
  if (IS_ERR(header))
      return PTR_ERR(header);

  memcpy(header + 1, cap + 1, size - sizeof(*header));

  return 0;

}

This issue was found by code inspection.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxad721705d09c62f0d108a6b4f59867ebfd592c90 < ad83d83dd891244de0d07678b257dc976db7c132affected
LinuxLinuxad721705d09c62f0d108a6b4f59867ebfd592c90 < 13fd667db999bffb557c5de7adb3c14f1713dd51affected
LinuxLinuxad721705d09c62f0d108a6b4f59867ebfd592c90 < f6f300ecc196d243c02adeb9ee0c62c677c24bfbaffected
LinuxLinuxad721705d09c62f0d108a6b4f59867ebfd592c90 < cbac29a1caa49a34e131394e1f4d924a76d8b0c9affected
LinuxLinuxad721705d09c62f0d108a6b4f59867ebfd592c90 < 1b5feb8497cdb5b9962db2700814bffbc030fb4aaffected
LinuxLinuxad721705d09c62f0d108a6b4f59867ebfd592c90 < cd24e2a60af633f157d7e59c0a6dba64f131c0b1affected
LinuxLinux5.8affected
LinuxLinux0 < 5.8unaffected
LinuxLinux5.10.195 <= 5.10.*unaffected
LinuxLinux5.15.132 <= 5.15.*unaffected
LinuxLinux6.1.53 <= 6.1.*unaffected
LinuxLinux6.4.16 <= 6.4.*unaffected
LinuxLinux6.5.3 <= 6.5.*unaffected
LinuxLinux6.6 <= *unaffected

Weaknesses

References