[CVE-2018-1118][Bionic][SRU][PATCH 1/1] vhost: fix info leak due to uninitialized memory

[Po-Hsu Lin]

From: "Michael S. Tsirkin" <mst at redhat.com>

CVE-2018-1118

struct vhost_msg within struct vhost_msg_node is copied to userspace.
Unfortunately it turns out on 64 bit systems vhost_msg has padding after
type which gcc doesn't initialize, leaking 4 uninitialized bytes to
userspace.

This padding also unfortunately means 32 bit users of this interface are
broken on a 64 bit kernel which will need to be fixed separately.

Fixes: CVE-2018-1118
Cc: stable at vger.kernel.org
Reported-by: Kevin Easton <kevin at guarana.org>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
(cherry picked from commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad)
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
 drivers/vhost/vhost.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 31bdfd2..a922d3d 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2383,6 +2383,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
 	struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
 	if (!node)
 		return NULL;
+
+	/* Make sure all padding within the structure is initialized. */
+	memset(&node->msg, 0, sizeof node->msg);
 	node->vq = vq;
 	node->msg.type = type;
 	return node;
-- 
2.7.4