CVE-2023-54137

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/type1: fix cap_migration information leak<br /> <br /> Fix an information leak where an uninitialized hole in struct<br /> vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.<br /> <br /> The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as<br /> shown in this pahole(1) output:<br /> <br /> struct vfio_iommu_type1_info_cap_migration {<br /> struct vfio_info_cap_header header; /* 0 8 */<br /> __u32 flags; /* 8 4 */<br /> <br /> /* XXX 4 bytes hole, try to pack */<br /> <br /> __u64 pgsize_bitmap; /* 16 8 */<br /> __u64 max_dirty_bitmap_size; /* 24 8 */<br /> <br /> /* size: 32, cachelines: 1, members: 4 */<br /> /* sum members: 28, holes: 1, sum holes: 4 */<br /> /* last cacheline: 32 bytes */<br /> };<br /> <br /> The cap_mig variable is filled in without initializing the hole:<br /> <br /> static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,<br /> struct vfio_info_cap *caps)<br /> {<br /> struct vfio_iommu_type1_info_cap_migration cap_mig;<br /> <br /> cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;<br /> cap_mig.header.version = 1;<br /> <br /> cap_mig.flags = 0;<br /> /* support minimum pgsize */<br /> cap_mig.pgsize_bitmap = (size_t)1 id, cap-&gt;version);<br /> if (IS_ERR(header))<br /> return PTR_ERR(header);<br /> <br /> memcpy(header + 1, cap + 1, size - sizeof(*header));<br /> <br /> return 0;<br /> }<br /> <br /> This issue was found by code inspection.