ACK+Cmnt: [PATCH 0/1][Groovy] CVE-2021-29266: vDPA UAF when reopening chardev

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Wed Apr 7 17:07:02 UTC 2021 

On Wed, Apr 07, 2021 at 06:02:36AM -0600, Tim Gardner wrote:
> On 4/6/21 2:11 PM, Thadeu Lima de Souza Cascardo wrote:
> > On Fri, Apr 02, 2021 at 11:24:48AM -0600, Tim Gardner wrote:
> > > [SRU Justification]
> > > 
> > > An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c
> > > has a use-after-free because v->config_ctx has an invalid value upon re-opening
> > > a character device, aka CID-f6bbf0010ba0.
> > > 
> > > Introduced by commit 776f395004d829bbbf18c159ed9beb517a208c71 (v5.8)
> > > 
> > > [Test Plan]
> > > none
> > > 
> > > [Where problems could occur]
> > > Released in stable kernels:
> > > linux-5.10.y
> > > linux-5.11.y
> > > 
> > > [Other Info]
> > > None
> > 
> > Hi, Tim.
> > 
> > Hirsute and oem-5.10 still need this patch as well.
> > 
> > This patch is simple enough and a clean cherry pick. I would rather try to get
> > it tested somehow, which is why sometimes I take some more time before getting
> > a fix on the list, but maybe for cases like this one, where there potential
> > regressions seem small enough, and backports are not needed, we can speed up
> > getting them submitted, as you did.
> > 
> > Thanks.
> > Cascardo.
> > 
> > Acked-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> > 
> 
> Won't Hirsute and OEM-5.10 get these patches via stable in this cycle ? Lots
> of CVEs are fixed in stable updates without us explicitly marking them as
> CVE patches. Won't the security team CVE triager note that the appropriate
> patch has been applied and update the 'CVE Reports' page accordingly ?
> 

If they are not applied in the trees yet, the best course of action, in my
opinion, is to send them independently. Preferably, together with the other
series backports. If people are reviewing them for Groovy, we already get their
reviews for Hirsute and oem-5.10. If whoever applies the patches notices they
are already applied because linux-*.y was picked up, I would expect at least a
message like the one Andrea Righi just sent about a patch already being applied.

There is always a chance either way that an upstream backport or our backport
will be different and one will be better than the other. It has happened in the
past that our backport was better, and was dropped in favour of upstream's,
leading to yet another CVE that would have not affected our kernels otherwise.

I would rather have the chance of testing whatever backport we pick up, when we
have tests available, which I strive to do.

The other way to look at that is that we have done our best effort to get this
fixed when sending backports and not relying on upstream stable being picked up
in time.

Of course, if this is already applied or sent by Kamal, noting that on the
cover letter is to be appreciated.

Cascardo.

> rtg
> -----------
> Tim Gardner
> Canonical, Inc

More information about the kernel-team mailing list