CVE-2023-52842

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()<br /> <br /> KMSAN reported the following uninit-value access issue:<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421<br /> virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421<br /> vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120<br /> process_one_work kernel/workqueue.c:2630 [inline]<br /> process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703<br /> worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784<br /> kthread+0x3cc/0x520 kernel/kthread.c:388<br /> ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br /> <br /> Uninit was stored to memory at:<br /> virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline]<br /> virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415<br /> vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120<br /> process_one_work kernel/workqueue.c:2630 [inline]<br /> process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703<br /> worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784<br /> kthread+0x3cc/0x520 kernel/kthread.c:388<br /> ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767<br /> slab_alloc_node mm/slub.c:3478 [inline]<br /> kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523<br /> kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559<br /> __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650<br /> alloc_skb include/linux/skbuff.h:1286 [inline]<br /> virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline]<br /> virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58<br /> virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline]<br /> virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387<br /> vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120<br /> process_one_work kernel/workqueue.c:2630 [inline]<br /> process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703<br /> worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784<br /> kthread+0x3cc/0x520 kernel/kthread.c:388<br /> ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br /> <br /> CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014<br /> Workqueue: vsock-loopback vsock_loopback_work<br /> =====================================================<br /> <br /> The following simple reproducer can cause the issue described above:<br /> <br /> int main(void)<br /> {<br /> int sock;<br /> struct sockaddr_vm addr = {<br /> .svm_family = AF_VSOCK,<br /> .svm_cid = VMADDR_CID_ANY,<br /> .svm_port = 1234,<br /> };<br /> <br /> sock = socket(AF_VSOCK, SOCK_STREAM, 0);<br /> connect(sock, (struct sockaddr *)&amp;addr, sizeof(addr));<br /> return 0;<br /> }<br /> <br /> This issue occurs because the `buf_alloc` and `fwd_cnt` fields of the<br /> `struct virtio_vsock_hdr` are not initialized when a new skb is allocated<br /> in `virtio_transport_init_hdr()`. This patch resolves the issue by<br /> initializing these fields during allocation.