All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] iommufd: Make sure to zero vfio_iommu_type1_info before copying to user
@ 2023-02-13 14:32 Jason Gunthorpe
  2023-02-14  3:28 ` Tian, Kevin
  2023-02-14 20:48 ` Jason Gunthorpe
  0 siblings, 2 replies; 3+ messages in thread
From: Jason Gunthorpe @ 2023-02-13 14:32 UTC (permalink / raw)
  To: iommu
  Cc: Eric Auger, Kevin Tian, Lixiao Yang, Matthew Rosato,
	Nicolin Chen, syzbot+cb1e0978f6bf46b83a58, Yi Liu

Missed a zero initialization here. Most of the struct is filled with
a copy_from_user(), however minsz for that copy is smaller than the
actual struct by 8 bytes, thus we don't fill the padding.

Cc: stable@vger.kernel.org # 6.1+
Fixes: d624d6652a65 ("iommufd: vfio container FD ioctl compatibility")
Reported-by: syzbot+cb1e0978f6bf46b83a58@syzkaller.appspotmail.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
 drivers/iommu/iommufd/vfio_compat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/vfio_compat.c b/drivers/iommu/iommufd/vfio_compat.c
index 3ceca0e8311c39..dba88ee1d45710 100644
--- a/drivers/iommu/iommufd/vfio_compat.c
+++ b/drivers/iommu/iommufd/vfio_compat.c
@@ -381,7 +381,7 @@ static int iommufd_vfio_iommu_get_info(struct iommufd_ctx *ictx,
 	};
 	size_t minsz = offsetofend(struct vfio_iommu_type1_info, iova_pgsizes);
 	struct vfio_info_cap_header __user *last_cap = NULL;
-	struct vfio_iommu_type1_info info;
+	struct vfio_iommu_type1_info info = {};
 	struct iommufd_ioas *ioas;
 	size_t total_cap_size;
 	int rc;

base-commit: c13a5b88359b9c1791e8713df06a40ed8da88ef8
-- 
2.39.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* RE: [PATCH] iommufd: Make sure to zero vfio_iommu_type1_info before copying to user
  2023-02-13 14:32 [PATCH] iommufd: Make sure to zero vfio_iommu_type1_info before copying to user Jason Gunthorpe
@ 2023-02-14  3:28 ` Tian, Kevin
  2023-02-14 20:48 ` Jason Gunthorpe
  1 sibling, 0 replies; 3+ messages in thread
From: Tian, Kevin @ 2023-02-14  3:28 UTC (permalink / raw)
  To: Jason Gunthorpe, iommu
  Cc: Eric Auger, Yang, Lixiao, Matthew Rosato, Nicolin Chen,
	syzbot+cb1e0978f6bf46b83a58, Liu, Yi L

> From: Jason Gunthorpe <jgg@nvidia.com>
> Sent: Monday, February 13, 2023 10:32 PM
> 
> Missed a zero initialization here. Most of the struct is filled with
> a copy_from_user(), however minsz for that copy is smaller than the
> actual struct by 8 bytes, thus we don't fill the padding.
> 
> Cc: stable@vger.kernel.org # 6.1+
> Fixes: d624d6652a65 ("iommufd: vfio container FD ioctl compatibility")
> Reported-by: syzbot+cb1e0978f6bf46b83a58@syzkaller.appspotmail.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

Reviewed-by: Kevin Tian <kevin.tian@intel.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] iommufd: Make sure to zero vfio_iommu_type1_info before copying to user
  2023-02-13 14:32 [PATCH] iommufd: Make sure to zero vfio_iommu_type1_info before copying to user Jason Gunthorpe
  2023-02-14  3:28 ` Tian, Kevin
@ 2023-02-14 20:48 ` Jason Gunthorpe
  1 sibling, 0 replies; 3+ messages in thread
From: Jason Gunthorpe @ 2023-02-14 20:48 UTC (permalink / raw)
  To: iommu
  Cc: Eric Auger, Kevin Tian, Lixiao Yang, Matthew Rosato,
	Nicolin Chen, syzbot+cb1e0978f6bf46b83a58, Yi Liu

On Mon, Feb 13, 2023 at 10:32:21AM -0400, Jason Gunthorpe wrote:
> Missed a zero initialization here. Most of the struct is filled with
> a copy_from_user(), however minsz for that copy is smaller than the
> actual struct by 8 bytes, thus we don't fill the padding.
> 
> Cc: stable@vger.kernel.org # 6.1+
> Fixes: d624d6652a65 ("iommufd: vfio container FD ioctl compatibility")
> Reported-by: syzbot+cb1e0978f6bf46b83a58@syzkaller.appspotmail.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
>  drivers/iommu/iommufd/vfio_compat.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied

Jason

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-02-14 20:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-13 14:32 [PATCH] iommufd: Make sure to zero vfio_iommu_type1_info before copying to user Jason Gunthorpe
2023-02-14  3:28 ` Tian, Kevin
2023-02-14 20:48 ` Jason Gunthorpe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.