Bug 1197247 (CVE-2022-0998)

Summary: VUL-0: CVE-2022-0998: kernel-source-azure,kernel-source,kernel-source-rt: kernel: an integer overflow in the vhost_vdpa_config_validate() can lead to out-of-bounds access on top of a 32-bit Linux kernel
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: gabriele.sonnu, gianluca.gabrielli, meissner, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/326509/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-0998:7.0:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1197338    

Description Alexander Bergmann 2022-03-17 15:59:21 UTC 
rh#2057506

An out of bounds (OOB) memory access flaw was found in the Linux Kernel's guest virtio device driver code (if this code enabled with the CONFIG_VHOST_VDPA kernel config parameter).
An integer overflow in the vhost_vdpa_config_validate function can lead to out-of-bounds access on top of a 32-bit linux kernel.

Reference:
https://lore.kernel.org/netdev/20220123001216.2460383-13-sashal@kernel.org/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2057506
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0998
Comment 1 Takashi Iwai 2022-03-17 16:19:52 UTC 
As the problem is only on 32bit, basically only TW (i386, armv7hl) and Leap 15.x (armv7hl) are affected.  The actual fix (commit 3ed21c1451a1) is already in 5.16, so TW is fine.  And SLE15-SP4 already has the fix via git-fixes.
Comment 2 Takashi Iwai 2022-03-17 16:25:27 UTC 
... and vdpa driver doesn't exist on SLE15-SP3, so only SLE15-SP4.

I backported the given commit (which is rather a cleanup) and updated the patch reference on SLE15-SP4 branch now.

Reassigned back to security team.
Comment 4 Gianluca Gabrielli 2022-04-04 09:43:13 UTC 
Someone from Oracle, reported the following in the OSSS ML:

> The mitre.org page
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0998
> 
> says this is a fix for CVE-2022-0998 but if you apply it by itself it
> creates a serious security problem.  Originally this bug only affected
> 32 bit systems but this patch will change it to affect everyone.
> 
> You need to apply commit 3ed21c1451a1 ("vdpa: check that offsets are
> within bounds").
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ed21c1451a14d139e1ceb18f2fa70865ce3195a
> 
> I don't know if this affects anyone, but it seemed worth mentioning.
> 
> regards,
> dan carpenter

@Takashi: could you please double-check it?
Comment 5 Takashi Iwai 2022-04-04 12:00:21 UTC 
The description in CVE was pretty misleading, yes, and we have already done in the right way.  The crucial fix, the commit 3ed21c1451a1, was already in SLE15-SP4-GA.

Meanwhile the commit 870aaff92e95 is a "cleanup" patch, which doesn't change the actual behavior.  And this is found in SLE15-SP4 branch.

For avoiding the confusion, I'm going to mark the former patch (3ed21c1451a1) with the CVE number for avoiding the confusion, and also take the latter cleanup fix (870aaff92e95) into SLE15-SP4-GA.
Comment 8 Gabriele Sonnu 2022-04-07 09:40:14 UTC 
Closing.