Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:43 +0200
committerJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:46 +0200
commit8a6caf254408bc96d10187cd026e6159e4fb12de (patch)
treeab9946c5db17429347c75b500c7d49b31d98f6c5
parente4e2183b4a7aca76422135b75440c996545bfbd2 (diff)
virt: vbox: Sanity-check parameter types for hgcm-calls coming
from userspace (bnc#1012628).
-rw-r--r--patches.kernel.org/5.1.3-009-virt-vbox-Sanity-check-parameter-types-for-hgcm.patch79
-rw-r--r--series.conf1
2 files changed, 80 insertions, 0 deletions
diff --git a/patches.kernel.org/5.1.3-009-virt-vbox-Sanity-check-parameter-types-for-hgcm.patch b/patches.kernel.org/5.1.3-009-virt-vbox-Sanity-check-parameter-types-for-hgcm.patch
new file mode 100644
index 0000000000..9201c6d58e
--- /dev/null
+++ b/patches.kernel.org/5.1.3-009-virt-vbox-Sanity-check-parameter-types-for-hgcm.patch
@@ -0,0 +1,79 @@
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 4 Apr 2019 14:39:09 +0200
+Subject: [PATCH] virt: vbox: Sanity-check parameter types for hgcm-calls
+ coming from userspace
+References: bnc#1012628
+Patch-mainline: 5.1.3
+Git-commit: cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6
+
+commit cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 upstream.
+
+Userspace can make host function calls, called hgcm-calls through the
+/dev/vboxguest device.
+
+In this case we should not accept all hgcm-function-parameter-types, some
+are only valid for in kernel calls.
+
+This commit adds proper hgcm-function-parameter-type validation to the
+ioctl for doing a hgcm-call from userspace.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/virt/vboxguest/vboxguest_core.c | 31 +++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/drivers/virt/vboxguest/vboxguest_core.c b/drivers/virt/vboxguest/vboxguest_core.c
+index 8ca333f21292..2307b0329aec 100644
+--- a/drivers/virt/vboxguest/vboxguest_core.c
++++ b/drivers/virt/vboxguest/vboxguest_core.c
+@@ -1298,6 +1298,20 @@ static int vbg_ioctl_hgcm_disconnect(struct vbg_dev *gdev,
+ return ret;
+ }
+
++static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type)
++{
++ switch (type) {
++ case VMMDEV_HGCM_PARM_TYPE_32BIT:
++ case VMMDEV_HGCM_PARM_TYPE_64BIT:
++ case VMMDEV_HGCM_PARM_TYPE_LINADDR:
++ case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
++ case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
++ return true;
++ default:
++ return false;
++ }
++}
++
+ static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
+ struct vbg_session *session, bool f32bit,
+ struct vbg_ioctl_hgcm_call *call)
+@@ -1333,6 +1347,23 @@ static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
+ }
+ call->hdr.size_out = actual_size;
+
++ /* Validate parameter types */
++ if (f32bit) {
++ struct vmmdev_hgcm_function_parameter32 *parm =
++ VBG_IOCTL_HGCM_CALL_PARMS32(call);
++
++ for (i = 0; i < call->parm_count; i++)
++ if (!vbg_param_valid(parm[i].type))
++ return -EINVAL;
++ } else {
++ struct vmmdev_hgcm_function_parameter *parm =
++ VBG_IOCTL_HGCM_CALL_PARMS(call);
++
++ for (i = 0; i < call->parm_count; i++)
++ if (!vbg_param_valid(parm[i].type))
++ return -EINVAL;
++ }
++
+ /*
+ * Validate the client id.
+ */
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index 18581b8f5e..437ab1da63 100644
--- a/series.conf
+++ b/series.conf
@@ -94,6 +94,7 @@
patches.kernel.org/5.1.3-006-selftests-seccomp-Handle-namespace-failures-gra.patch
patches.kernel.org/5.1.3-007-i2c-core-ratelimit-transfer-when-suspended-erro.patch
patches.kernel.org/5.1.3-008-kernfs-fix-barrier-usage-in-__kernfs_new_node.patch
+ patches.kernel.org/5.1.3-009-virt-vbox-Sanity-check-parameter-types-for-hgcm.patch
########################################################
# Build fixes that apply to the vanilla kernel too.