kvmfr: Security Vulnerability - Action Required: Overflow may in the newest version of the LookingGlass

[Crispy-fried-chicken]

I would like to bring to your attention a potential overflow vulnerability in the latest version of LookingGlass related to the method kvmfr_vm_fault in the file of module/kvmfr.c. This vulnerability bears similarities to the recently disclosed CVE-2023-2008 found in torvalds/linux.

Vulnerability Detail:

CVE Identifier: CVE-2023-2008

Description: A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-2008

Patch: torvalds/linux@05b252c.

Here is a need to check vmf->pgoff before using it. If not, the specific flaw may exist within a fault handler.
Would you can help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[gnif]

We are checking the bounds:

LookingGlass/module/kvmfr.c

Lines 151 to 155 in d060e37

	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
	if ((offset + size > (kbuf->pagecount << PAGE_SHIFT))
	|| (offset + size < offset))
	return -EINVAL;

LookingGlass/module/kvmfr.c

Lines 314 to 321 in d060e37

	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
	kdev = (struct kvmfr_dev *)idr_find(&kvmfr_idr, iminor(filp->f_inode));
	if (!kdev)
	return -EINVAL;
	if ((offset + size > kdev->size) || (offset + size < offset))
	return -EINVAL;

Edit: Oh wait, this is a problem in the fault handler. I will have a closer look

[gnif]

Confirmed, we do not have a problem here as we validate the user data at setup.

[gnif]

I am sorry for the noise, I did some further digging and understand the issue here better now. Yes there is a potential issue here as the kernel doesn't perform any validation of the values being passed to this method.

If it's true, I'd like to open a PR for that if necessary.

Not necessary, I will commit a patch for this, thanks for the report!

[Crispy-fried-chicken]

@gnif I'm sorry, here is a typo in my issue, it may cause overflow vulnerability not a XXE vulnerability. By the way, as it may cause some dangerous results, maybe I can request a CVEID?

[gnif]

No worries, but no, please do not request a CVEID, this is not a new vulnerability and LG is not considered a production stable tool ready for general usage at this time.