From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hans de Goede <hdegoede@redhat.com>
Subject: [PATCH 5.1 09/46] virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace
Date: Wed, 15 May 2019 12:56:33 +0200 [thread overview]
Message-ID: <20190515090621.462758083@linuxfoundation.org> (raw)
In-Reply-To: <20190515090616.670410738@linuxfoundation.org>
From: Hans de Goede <hdegoede@redhat.com>
commit cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 upstream.
Userspace can make host function calls, called hgcm-calls through the
/dev/vboxguest device.
In this case we should not accept all hgcm-function-parameter-types, some
are only valid for in kernel calls.
This commit adds proper hgcm-function-parameter-type validation to the
ioctl for doing a hgcm-call from userspace.
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/virt/vboxguest/vboxguest_core.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
--- a/drivers/virt/vboxguest/vboxguest_core.c
+++ b/drivers/virt/vboxguest/vboxguest_core.c
@@ -1298,6 +1298,20 @@ static int vbg_ioctl_hgcm_disconnect(str
return ret;
}
+static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type)
+{
+ switch (type) {
+ case VMMDEV_HGCM_PARM_TYPE_32BIT:
+ case VMMDEV_HGCM_PARM_TYPE_64BIT:
+ case VMMDEV_HGCM_PARM_TYPE_LINADDR:
+ case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
+ case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
+ return true;
+ default:
+ return false;
+ }
+}
+
static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
struct vbg_session *session, bool f32bit,
struct vbg_ioctl_hgcm_call *call)
@@ -1333,6 +1347,23 @@ static int vbg_ioctl_hgcm_call(struct vb
}
call->hdr.size_out = actual_size;
+ /* Validate parameter types */
+ if (f32bit) {
+ struct vmmdev_hgcm_function_parameter32 *parm =
+ VBG_IOCTL_HGCM_CALL_PARMS32(call);
+
+ for (i = 0; i < call->parm_count; i++)
+ if (!vbg_param_valid(parm[i].type))
+ return -EINVAL;
+ } else {
+ struct vmmdev_hgcm_function_parameter *parm =
+ VBG_IOCTL_HGCM_CALL_PARMS(call);
+
+ for (i = 0; i < call->parm_count; i++)
+ if (!vbg_param_valid(parm[i].type))
+ return -EINVAL;
+ }
+
/*
* Validate the client id.
*/
next prev parent reply other threads:[~2019-05-15 11:35 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 10:56 [PATCH 5.1 00/46] 5.1.3-stable review Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 01/46] platform/x86: sony-laptop: Fix unintentional fall-through Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 02/46] platform/x86: thinkpad_acpi: Disable Bluetooth for some machines Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 03/46] platform/x86: dell-laptop: fix rfkill functionality Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 04/46] hwmon: (pwm-fan) Disable PWM if fetching cooling data fails Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 05/46] hwmon: (occ) Fix extended status bits Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 06/46] selftests/seccomp: Handle namespace failures gracefully Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 07/46] i2c: core: ratelimit transfer when suspended errors Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 08/46] kernfs: fix barrier usage in __kernfs_new_node() Greg Kroah-Hartman
2019-05-15 10:56 ` Greg Kroah-Hartman [this message]
2019-05-15 10:56 ` [PATCH 5.1 10/46] USB: serial: fix unthrottle races Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 11/46] mwl8k: Fix rate_idx underflow Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 12/46] rtlwifi: rtl8723ae: Fix missing break in switch statement Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 13/46] Dont jump to compute_result state from check_result state Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 14/46] bonding: fix arp_validate toggling in active-backup mode Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 15/46] bridge: Fix error path for kobject_init_and_add() Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 16/46] dpaa_eth: fix SG frame cleanup Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 17/46] fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 18/46] ipv4: Fix raw socket lookup for local traffic Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 19/46] net: dsa: Fix error cleanup path in dsa_init_module Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 20/46] net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 21/46] net: macb: Change interrupt and napi enable order in open Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 22/46] net: seeq: fix crash caused by not set dev.parent Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 23/46] net: ucc_geth - fix Oops when changing number of buffers in the ring Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 24/46] packet: Fix error path in packet_init Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 25/46] selinux: do not report error on connect(AF_UNSPEC) Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 26/46] tipc: fix hanging clients using poll with EPOLLOUT flag Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 27/46] vlan: disable SIOCSHWTSTAMP in container Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 28/46] vrf: sit mtu should not be updated when vrf netdev is the link Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 29/46] aqc111: fix endianness issue in aqc111_change_mtu Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 30/46] aqc111: fix writing to the phy on BE Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 31/46] aqc111: fix double endianness swap " Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 32/46] tuntap: fix dividing by zero in ebpf queue selection Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 33/46] tuntap: synchronize through tfiles array instead of tun->numqueues Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 34/46] net: phy: fix phy_validate_pause Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 5.1 35/46] flow_dissector: disable preemption around BPF calls Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 36/46] isdn: bas_gigaset: use usb_fill_int_urb() properly Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 37/46] drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 38/46] drivers/virt/fsl_hypervisor.c: prevent integer overflow " Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 39/46] powerpc/book3s/64: check for NULL pointer in pgd_alloc() Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 40/46] powerpc/powernv/idle: Restore IAMR after idle Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 41/46] powerpc/booke64: set RI in default MSR Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 42/46] virtio_ring: Fix potential mem leak in virtqueue_add_indirect_packed Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 43/46] PCI: hv: Fix a memory leak in hv_eject_device_work() Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 44/46] PCI: hv: Add hv_pci_remove_slots() when we unload the driver Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 45/46] PCI: hv: Add pci_destroy_slot() in pci_devices_present_work(), if necessary Greg Kroah-Hartman
2019-05-15 10:57 ` [PATCH 5.1 46/46] f2fs: Fix use of number of devices Greg Kroah-Hartman
2019-05-15 13:56 ` [PATCH 5.1 00/46] 5.1.3-stable review Igor Russkikh
2019-05-15 14:18 ` Greg Kroah-Hartman
2019-05-15 13:58 ` Igor Russkikh
2019-05-15 19:56 ` Naresh Kamboju
2019-05-16 6:21 ` Greg Kroah-Hartman
2019-05-16 3:38 ` Guenter Roeck
2019-05-16 6:20 ` Greg Kroah-Hartman
2019-05-16 11:04 ` Jon Hunter
2019-05-16 16:50 ` Greg Kroah-Hartman
2019-05-16 13:55 ` shuah
2019-05-16 16:49 ` Greg Kroah-Hartman
2019-05-17 6:34 ` Kelsey Skunberg
2019-05-17 7:25 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190515090621.462758083@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).