[PATCH] um: virtio_uml: fix heap overflow in vhost_user_get_config()

[Michael Bommarito]

vhost_user_get_config() sizes its reply buffer from header + payload:

	size_t payload_size = sizeof(msg->payload.config) + cfg_size;
	size_t msg_size = sizeof(msg->header) + payload_size;
	...
	msg = kzalloc(msg_size, GFP_KERNEL);

but then receives the response with msg_size as the payload cap:

	rc = vhost_user_recv_resp(vu_dev, msg, msg_size);

vhost_user_recv() reads the header, then full_read()s header.size bytes
into &msg->payload after checking only "size > max_payload_size". The
payload area is msg_size - sizeof(msg->header) == payload_size bytes, so
passing msg_size as the cap lets a peer set header.size up to msg_size
and write sizeof(struct vhost_user_msg_header) (12) bytes past the end
of the kzalloc(msg_size) buffer -- a slab out-of-bounds write of
peer-controlled content.

Pass payload_size, which is the size the payload area was allocated for.

A malicious or compromised vhost-user backend triggers this during
device probe (vu_get -> vhost_user_get_config) with no guest action,
which matters in the confidential-computing model where the guest does
not trust the device backend.

Fixes: 5d38f324993f ("um: drivers: Add virtio vhost-user driver")
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
Reproduced on a UML KASAN build (ARCH=um, CONFIG_KASAN=y) off this base.
A stub vhost-user backend that answers GET_CONFIG with header.size set to
the full msg_size makes vhost_user_recv() full_read() 12 bytes past the
kzalloc'd reply buffer; KASAN reports a slab-out-of-bounds write in
vhost_user_get_config(). With this patch the oversized reply is rejected
(-EPROTO) and KASAN is clean. Benign control: a correctly-sized GET_CONFIG
reply succeeds on both stock and patched. Before/after logs available on
request.

 arch/um/drivers/virtio_uml.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c
index 7425a8548141a..38e960bec9e65 100644
--- a/arch/um/drivers/virtio_uml.c
+++ b/arch/um/drivers/virtio_uml.c
@@ -568,7 +568,7 @@ static void vhost_user_get_config(struct virtio_uml_device *vu_dev,
 		goto free;
 	}
 
-	rc = vhost_user_recv_resp(vu_dev, msg, msg_size);
+	rc = vhost_user_recv_resp(vu_dev, msg, payload_size);
 	if (rc) {
 		vu_err(vu_dev,
 		       "receiving VHOST_USER_GET_CONFIG response failed: %d\n",

base-commit: ef0c9f75a19532d7675384708fc8621e10850104
-- 
2.53.0