[thirdparty/kernel/stable-queue.git] / releases / 5.1.3 / virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch

From cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Thu, 4 Apr 2019 14:39:09 +0200
Subject: virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace

From: Hans de Goede <hdegoede@redhat.com>

commit cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 upstream.

Userspace can make host function calls, called hgcm-calls through the
/dev/vboxguest device.

In this case we should not accept all hgcm-function-parameter-types, some
are only valid for in kernel calls.

This commit adds proper hgcm-function-parameter-type validation to the
ioctl for doing a hgcm-call from userspace.

Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/virt/vboxguest/vboxguest_core.c |   31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

--- a/drivers/virt/vboxguest/vboxguest_core.c
+++ b/drivers/virt/vboxguest/vboxguest_core.c
@@ -1298,6 +1298,20 @@ static int vbg_ioctl_hgcm_disconnect(str
 	return ret;
 }
 
+static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type)
+{
+	switch (type) {
+	case VMMDEV_HGCM_PARM_TYPE_32BIT:
+	case VMMDEV_HGCM_PARM_TYPE_64BIT:
+	case VMMDEV_HGCM_PARM_TYPE_LINADDR:
+	case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
+	case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
+		return true;
+	default:
+		return false;
+	}
+}
+
 static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
 			       struct vbg_session *session, bool f32bit,
 			       struct vbg_ioctl_hgcm_call *call)
@@ -1333,6 +1347,23 @@ static int vbg_ioctl_hgcm_call(struct vb
 	}
 	call->hdr.size_out = actual_size;
 
+	/* Validate parameter types */
+	if (f32bit) {
+		struct vmmdev_hgcm_function_parameter32 *parm =
+			VBG_IOCTL_HGCM_CALL_PARMS32(call);
+
+		for (i = 0; i < call->parm_count; i++)
+			if (!vbg_param_valid(parm[i].type))
+				return -EINVAL;
+	} else {
+		struct vmmdev_hgcm_function_parameter *parm =
+			VBG_IOCTL_HGCM_CALL_PARMS(call);
+
+		for (i = 0; i < call->parm_count; i++)
+			if (!vbg_param_valid(parm[i].type))
+				return -EINVAL;
+	}
+
 	/*
 	 * Validate the client id.
 	 */
Commit	Line	Data
01e516ea GKH	1	From cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 Mon Sep 17 00:00:00 2001
	2	From: Hans de Goede <hdegoede@redhat.com>
	3	Date: Thu, 4 Apr 2019 14:39:09 +0200
	4	Subject: virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace
	5
	6	From: Hans de Goede <hdegoede@redhat.com>
	7
	8	commit cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 upstream.
	9
	10	Userspace can make host function calls, called hgcm-calls through the
	11	/dev/vboxguest device.
	12
	13	In this case we should not accept all hgcm-function-parameter-types, some
	14	are only valid for in kernel calls.
	15
	16	This commit adds proper hgcm-function-parameter-type validation to the
	17	ioctl for doing a hgcm-call from userspace.
	18
	19	Cc: stable@vger.kernel.org
	20	Signed-off-by: Hans de Goede <hdegoede@redhat.com>
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22
	23	---
	24	drivers/virt/vboxguest/vboxguest_core.c \| 31 +++++++++++++++++++++++++++++++
	25	1 file changed, 31 insertions(+)
	26
	27	--- a/drivers/virt/vboxguest/vboxguest_core.c
	28	+++ b/drivers/virt/vboxguest/vboxguest_core.c
	29	@@ -1298,6 +1298,20 @@ static int vbg_ioctl_hgcm_disconnect(str
	30	return ret;
	31	}
	32
	33	+static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type)
	34	+{
	35	+ switch (type) {
	36	+ case VMMDEV_HGCM_PARM_TYPE_32BIT:
	37	+ case VMMDEV_HGCM_PARM_TYPE_64BIT:
	38	+ case VMMDEV_HGCM_PARM_TYPE_LINADDR:
	39	+ case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
	40	+ case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
	41	+ return true;
	42	+ default:
	43	+ return false;
	44	+ }
	45	+}
	46	+
	47	static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
	48	struct vbg_session *session, bool f32bit,
	49	struct vbg_ioctl_hgcm_call *call)
	50	@@ -1333,6 +1347,23 @@ static int vbg_ioctl_hgcm_call(struct vb
	51	}
	52	call->hdr.size_out = actual_size;
	53
	54	+ /* Validate parameter types */
	55	+ if (f32bit) {
	56	+ struct vmmdev_hgcm_function_parameter32 *parm =
	57	+ VBG_IOCTL_HGCM_CALL_PARMS32(call);
	58	+
	59	+ for (i = 0; i < call->parm_count; i++)
	60	+ if (!vbg_param_valid(parm[i].type))
	61	+ return -EINVAL;
	62	+ } else {
	63	+ struct vmmdev_hgcm_function_parameter *parm =
	64	+ VBG_IOCTL_HGCM_CALL_PARMS(call);
65	+
66	+ for (i = 0; i < call->parm_count; i++)
67	+ if (!vbg_param_valid(parm[i].type))
68	+ return -EINVAL;
69	+ }
70	+
71	/*
72	* Validate the client id.
73	*/