CVE-2024-35944

In the Linux kernel, the following vulnerability has been resolved:

VMCI: Fix memcpy() run-time warning in dgdispatchas_host()

Syzkaller hit 'WARNING in dgdispatchas_host' bug.

memcpy: detected field-spanning write (size 56) of single field "&dginfo->msg" at drivers/misc/vmwvmci/vmci_datagram.c:237 (size 24)

WARNING: CPU: 0 PID: 1555 at drivers/misc/vmwvmci/vmcidatagram.c:237 dgdispatchashost+0x88e/0xa60 drivers/misc/vmwvmci/vmci_datagram.c:237

Some code commentry, based on my understanding:

544 #define VMCIDGSIZE(dg) (VMCIDGHEADERSIZE + (sizet)(dg)->payloadsize) /// This is 24 + payload_size

memcpy(&dginfo->msg, dg, dgsize); Destination = dginfo->msg ---> this is a 24 byte structure(struct vmcidatagram) Source = dg --> this is a 24 byte structure (struct vmcidatagram) Size = dgsize = 24 + payload_size

{payloadsize = 56-24 =32} -- Syzkaller managed to set payloadsize to 32.

35 struct delayeddatagraminfo { 36 struct datagramentry *entry; 37 struct workstruct work; 38 bool indghostqueue; 39 /* msg and msgpayload must be together. */ 40 struct vmcidatagram msg; 41 u8 msgpayload[]; 42 };

So those extra bytes of payload are copied into msg_payload[], a run time warning is seen while fuzzing with Syzkaller.

One possible way to fix the warning is to split the memcpy() into two parts -- one -- direct assignment of msg and second taking care of payload.

Gustavo quoted: "Under FORTIFY_SOURCE we should not copy data across multiple members in a structure."