A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.
Is there more information available on this issue? Is it known and fixed in upstream?
In reply to comment #3:
> Is there more information available on this issue? Is it known and fixed in
Not yet, a patch is going to be posted upstream soon. Thanks.
In reply to comment #4:
> Not yet, a patch is going to be posted upstream soon. Thanks.
To the best of our knowledge, the kernel stack is not directly propagated to userspace but in the worst case scenario (capacity field in Virtio-blk, which can be displayed in set_capacity_and_notify) it could be printed in the kernel logs.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2126109]
This was fixed for Fedora with the 5.19.14 stable kernel updates.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):