vbg_misc_device_close doesn't check that filp->private_data is non-NULL
before trying to close_session, where vbg_core_close_session uses pointer
session whithout checking, too. That can cause an oops in certain error
conditions that can occur on open or lookup before the private_data is set.
This vulnerability is similar to CVE-2011-1771.
Signed-off-by: Young Xiao <92siuyang@xxxxxxxxx>
---
drivers/virt/vboxguest/vboxguest_linux.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c
index 6e8c0f1..b03c16f 100644
--- a/drivers/virt/vboxguest/vboxguest_linux.c
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
@@ -88,8 +88,10 @@ static int vbg_misc_device_user_open(struct inode *inode, struct file *filp)
*/
static int vbg_misc_device_close(struct inode *inode, struct file *filp)
{
- vbg_core_close_session(filp->private_data);
- filp->private_data = NULL;
+ if (file->private_data != NULL) {
+ vbg_core_close_session(filp->private_data);
+ filp->private_data = NULL;
+ }
return 0;
}