re: vduse: add vq group support

Colin King (gmail) Sat, 27 Sep 2025 07:22:49 -0700

Hi,

Static analysis on linux-next has found an issue with the following commit:


commit ffc3634b66967445f3368c3b53a42bccc52b2c7f
Author: Eugenio Pérez <[email protected]>
Date:   Thu Sep 25 11:13:32 2025 +0200

    vduse: add vq group support


This issue is as follows in function vhost_vdpa_vring_ioct:

        case VHOST_VDPA_GET_VRING_GROUP: {
                u64 group;

                if (!ops->get_vq_group)
                        return -EOPNOTSUPP;
                s.index = idx;
                group = ops->get_vq_group(vdpa, idx);
                if (group >= vdpa->ngroups || group > U32_MAX || group < 0)
                        return -EIO;
                else if (copy_to_user(argp, &s, sizeof(s)))
                        return -EFAULT;
                s.num = group;
                return 0;
        }

The copy_to_user of struct s is copying a partially initialized struct s, field s.num contains garbage data from the stack and this is being copied back to user space. Field s.num should be assigned some value before the copy_to_user call to avoid uninitialized data from the stack being leaked to user space.


Colin

OpenPGP_0x68C287DFC6A80226.asc
Description: OpenPGP public key

OpenPGP_signature.asc
Description: OpenPGP digital signature

re: vduse: add vq group support

Reply via email to