This is a note to let you know that I've just added the patch titled
iommufd: Make sure to zero vfio_iommu_type1_info before copying to user
to the 6.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
iommufd-make-sure-to-zero-vfio_iommu_type1_info-before-copying-to-user.patch
and it can be found in the queue-6.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From b3551ead616318ea155558cdbe7e91495b8d9b33 Mon Sep 17 00:00:00 2001
From: Jason Gunthorpe <jgg@xxxxxxxxxx>
Date: Mon, 13 Feb 2023 10:32:21 -0400
Subject: iommufd: Make sure to zero vfio_iommu_type1_info before copying to user
From: Jason Gunthorpe <jgg@xxxxxxxxxx>
commit b3551ead616318ea155558cdbe7e91495b8d9b33 upstream.
Missed a zero initialization here. Most of the struct is filled with
a copy_from_user(), however minsz for that copy is smaller than the
actual struct by 8 bytes, thus we don't fill the padding.
Cc: stable@xxxxxxxxxxxxxxx # 6.1+
Fixes: d624d6652a65 ("iommufd: vfio container FD ioctl compatibility")
Link: https://lore.kernel.org/r/0-v1-a74499ece799+1a-iommufd_get_info_leak_jgg@xxxxxxxxxx
Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>
Reported-by: syzbot+cb1e0978f6bf46b83a58@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/iommu/iommufd/vfio_compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/iommufd/vfio_compat.c
+++ b/drivers/iommu/iommufd/vfio_compat.c
@@ -381,7 +381,7 @@ static int iommufd_vfio_iommu_get_info(s
};
size_t minsz = offsetofend(struct vfio_iommu_type1_info, iova_pgsizes);
struct vfio_info_cap_header __user *last_cap = NULL;
- struct vfio_iommu_type1_info info;
+ struct vfio_iommu_type1_info info = {};
struct iommufd_ioas *ioas;
size_t total_cap_size;
int rc;
Patches currently in stable-queue which might be from jgg@xxxxxxxxxx are
queue-6.2/rdma-rxe-replace-rxe_map-and-rxe_phys_buf-by-xarray.patch
queue-6.2/iommu-attach-device-group-to-old-domain-in-error-path.patch
queue-6.2/iommu-fix-error-unwind-in-iommu_group_alloc.patch
queue-6.2/selftests-iommu-fix-test_cmd_destroy_access-call-in-.patch
queue-6.2/rdma-rxe-isolate-mr-code-from-atomic_reply.patch
queue-6.2/rdma-siw-fix-user-page-pinning-accounting.patch
queue-6.2/vfio-fix-null-pointer-dereference-caused-by-uninitialized-group-iommufd.patch
queue-6.2/rdma-rxe-isolate-mr-code-from-atomic_write_reply.patch
queue-6.2/iommufd-add-three-missing-structures-in-ucmd_buffer.patch
queue-6.2/rdma-rxe-move-rxe_map_mr_sg-to-rxe_mr.c.patch
queue-6.2/subject-rdma-rxe-handle-zero-length-rdma.patch
queue-6.2/vfio-type1-prevent-underflow-of-locked_vm-via-exec.patch
queue-6.2/rdma-rxe-fix-missing-memory-barriers-in-rxe_queue.h.patch
queue-6.2/rdma-mana_ib-fix-a-bug-when-the-pf-indicates-more-en.patch
queue-6.2/vfio-type1-restore-locked_vm.patch
queue-6.2/ib-hfi1-fix-math-bugs-in-hfi1_can_pin_pages.patch
queue-6.2/rdma-rxe-cleanup-mr_check_range.patch
queue-6.2/iommufd-do-not-add-the-same-hwpt-to-the-ioas-hwpt_list-twice.patch
queue-6.2/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch
queue-6.2/rdma-rxe-cleanup-page-variables-in-rxe_mr.c.patch
queue-6.2/vfio-type1-exclude-mdevs-from-vfio_update_vaddr.patch
queue-6.2/iommufd-make-sure-to-zero-vfio_iommu_type1_info-before-copying-to-user.patch
queue-6.2/vfio-type1-track-locked_vm-per-dma.patch
