[PATCH] misc: fastrpc: restrict user apps from sending kernel RPC messages

From: Dmitry Baryshkov
Date: Thu Feb 11 2021 - 18:38:34 EST

Next message: Stephen Rothwell: "linux-next: manual merge of the btrfs tree with the fscache tree"
Previous message: Jarkko Sakkinen: "Re: [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys"
Next in thread: Randy Dunlap: "Re: [PATCH] misc: fastrpc: restrict user apps from sending kernel RPC messages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Verify that user applications are not using the kernel RPC message
handle to restrict them from directly attaching to guest OS on the
remote subsystem. This is a port of CVE-2019-2308 fix.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx>
Cc: Jonathan Marek <jonathan@xxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
---
drivers/misc/fastrpc.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 815d01f785df..e7f3a22fdaa3 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -948,6 +948,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel,
if (!fl->cctx->rpdev)
return -EPIPE;

+ if (handle == FASTRPC_INIT_HANDLE && !kernel) {
+ dev_warn(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n", handle);
+ return -EPERM;
+ }
+
ctx = fastrpc_context_alloc(fl, kernel, sc, args);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
--
2.30.0

Next message: Stephen Rothwell: "linux-next: manual merge of the btrfs tree with the fscache tree"
Previous message: Jarkko Sakkinen: "Re: [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys"
Next in thread: Randy Dunlap: "Re: [PATCH] misc: fastrpc: restrict user apps from sending kernel RPC messages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]