In the Linux kernel, the following vulnerability has been resolved:
virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt() KMSAN
reported the following uninit-value access issue:
===================================================== BUG: KMSAN:
uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0
net/vmw_vsock/virtio_transport_common.c:1421
virtio_transport_recv_pkt+0x1dfb/0x26a0
net/vmw_vsock/virtio_transport_common.c:1421
vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703
worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520
kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was stored
to memory at: virtio_transport_space_update
net/vmw_vsock/virtio_transport_common.c:1274 [inline]
virtio_transport_recv_pkt+0x1ee8/0x26a0
net/vmw_vsock/virtio_transport_common.c:1415
vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703
worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520
kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was
created at: slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767 slab_alloc_node
mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523
kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x2fd/0x770
net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline]
virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline]
virtio_transport_alloc_skb+0x90/0x11e0
net/vmw_vsock/virtio_transport_common.c:58 virtio_transport_reset_no_sock
net/vmw_vsock/virtio_transport_common.c:957 [inline]
virtio_transport_recv_pkt+0x1279/0x26a0
net/vmw_vsock/virtio_transport_common.c:1387
vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703
worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520
kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 CPU: 1 PID: 10664
Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3 Hardware
name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
Workqueue: vsock-loopback vsock_loopback_work
===================================================== The following simple
reproducer can cause the issue described above: int main(void) { int sock;
struct sockaddr_vm addr = { .svm_family = AF_VSOCK, .svm_cid =
VMADDR_CID_ANY, .svm_port = 1234, }; sock = socket(AF_VSOCK, SOCK_STREAM,
0); connect(sock, (struct sockaddr *)&addr, sizeof(addr)); return 0; } This
issue occurs because the buf_alloc
and fwd_cnt
fields of the struct virtio_vsock_hdr
are not initialized when a new skb is allocated in
virtio_transport_init_hdr()
. This patch resolves the issue by
initializing these fields during allocation.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-nvidia-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-oem-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-oracle-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-starfive-6.5 | < any | UNKNOWN |
git.kernel.org/linus/34c4effacfc329aeca5635a69fd9e0f6c90b4101 (6.7-rc1)
git.kernel.org/stable/c/0b8906fb48b99e993d6e8a12539f618f4854dd26
git.kernel.org/stable/c/34c4effacfc329aeca5635a69fd9e0f6c90b4101
git.kernel.org/stable/c/cd12535b97dd7d18cf655ec78ce1cf1f29a576be
launchpad.net/bugs/cve/CVE-2023-52842
nvd.nist.gov/vuln/detail/CVE-2023-52842
security-tracker.debian.org/tracker/CVE-2023-52842
www.cve.org/CVERecord?id=CVE-2023-52842