[PATCH] vboxguest: check for private_data before trying to close it.

From: Young Xiao
Date: Tue May 28 2019 - 08:49:26 EST


vbg_misc_device_close doesn't check that filp->private_data is non-NULL
before trying to close_session, where vbg_core_close_session uses pointer
session whithout checking, too. That can cause an oops in certain error
conditions that can occur on open or lookup before the private_data is set.

This vulnerability is similar to CVE-2011-1771.

Signed-off-by: Young Xiao <92siuyang@xxxxxxxxx>
---
drivers/virt/vboxguest/vboxguest_linux.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c
index 6e8c0f1..b03c16f 100644
--- a/drivers/virt/vboxguest/vboxguest_linux.c
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
@@ -88,8 +88,10 @@ static int vbg_misc_device_user_open(struct inode *inode, struct file *filp)
*/
static int vbg_misc_device_close(struct inode *inode, struct file *filp)
{
- vbg_core_close_session(filp->private_data);
- filp->private_data = NULL;
+ if (file->private_data != NULL) {
+ vbg_core_close_session(filp->private_data);
+ filp->private_data = NULL;
+ }
return 0;
}

--
2.7.4