Re: [PATCH] virt: vbox: Only copy_from_user the request-header once

From: Hans de Goede
Date: Tue May 08 2018 - 10:52:58 EST

Next message: Jonathan Corbet: "Re: [PATCH] doc: botching-up-ioctls: Make it clearer why structs must be padded"
Previous message: Michael Ellerman: "Re: tracing: Remove PPC32 wart from config TRACING_SUPPORT"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] virt: vbox: Only copy_from_user the request-header once"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On 08-05-18 16:21, Greg Kroah-Hartman wrote:

On Tue, May 08, 2018 at 03:46:59PM +0200, Hans de Goede wrote:

In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
'version', 'size_in', and 'size_out' fields of 'hdr' are verified.

Before this commit, after the checks a buffer for the entire request would
be allocated and then all data including the verified header would be
copied from the userspace 'arg' pointer again.

Given that the 'arg' pointer resides in userspace, a malicious userspace
process can race to change the data pointed to by 'arg' between the two
copies. By doing so, the user can bypass the verifications on the ioctl
argument.

This commit fixes this by using the already checked copy of the header
to fill the header part of the allocated buffer and only copying the
remainder of the data from userspace.

Reported-by: Wenwen Wang <wang6495@xxxxxxx>
Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>

Does this need to go into 4.17-final? Any older kernels? Or can it
wait for 4.18-rc1?

I believe this can wait for 4.18-rc1.

Regards,

Hans

Next message: Jonathan Corbet: "Re: [PATCH] doc: botching-up-ioctls: Make it clearer why structs must be padded"
Previous message: Michael Ellerman: "Re: tracing: Remove PPC32 wart from config TRACING_SUPPORT"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] virt: vbox: Only copy_from_user the request-header once"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]