44 lines
1.8 KiB
Diff
44 lines
1.8 KiB
Diff
From: Wenwen Wang <wang6495@umn.edu>
|
|
Date: Tue, 8 May 2018 08:50:28 -0500
|
|
Subject: virt: vbox: Only copy_from_user the request-header once
|
|
Origin: https://git.kernel.org/linus/bd23a7269834dc7c1f93e83535d16ebc44b75eba
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12633
|
|
|
|
In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
|
|
the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
|
|
'version', 'size_in', and 'size_out' fields of 'hdr' are verified.
|
|
|
|
Before this commit, after the checks a buffer for the entire request would
|
|
be allocated and then all data including the verified header would be
|
|
copied from the userspace 'arg' pointer again.
|
|
|
|
Given that the 'arg' pointer resides in userspace, a malicious userspace
|
|
process can race to change the data pointed to by 'arg' between the two
|
|
copies. By doing so, the user can bypass the verifications on the ioctl
|
|
argument.
|
|
|
|
This commit fixes this by using the already checked copy of the header
|
|
to fill the header part of the allocated buffer and only copying the
|
|
remainder of the data from userspace.
|
|
|
|
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
|
|
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
---
|
|
drivers/virt/vboxguest/vboxguest_linux.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
--- a/drivers/virt/vboxguest/vboxguest_linux.c
|
|
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
|
|
@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct
|
|
if (!buf)
|
|
return -ENOMEM;
|
|
|
|
- if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
|
|
+ *((struct vbg_ioctl_hdr *)buf) = hdr;
|
|
+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
|
|
+ hdr.size_in - sizeof(hdr))) {
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|