--- /dev/null
+From bd23a7269834dc7c1f93e83535d16ebc44b75eba Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Tue, 8 May 2018 08:50:28 -0500
+Subject: virt: vbox: Only copy_from_user the request-header once
+
+From: Wenwen Wang <wang6495@umn.edu>
+
+commit bd23a7269834dc7c1f93e83535d16ebc44b75eba upstream.
+
+In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
+the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
+'version', 'size_in', and 'size_out' fields of 'hdr' are verified.
+
+Before this commit, after the checks a buffer for the entire request would
+be allocated and then all data including the verified header would be
+copied from the userspace 'arg' pointer again.
+
+Given that the 'arg' pointer resides in userspace, a malicious userspace
+process can race to change the data pointed to by 'arg' between the two
+copies. By doing so, the user can bypass the verifications on the ioctl
+argument.
+
+This commit fixes this by using the already checked copy of the header
+to fill the header part of the allocated buffer and only copying the
+remainder of the data from userspace.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: Justin Forbes <jmforbes@linuxtx.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/vboxguest/vboxguest_linux.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/virt/vboxguest/vboxguest_linux.c
++++ b/drivers/virt/vboxguest/vboxguest_linux.c
+@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct
+ if (!buf)
+ return -ENOMEM;
+
+- if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
++ *((struct vbg_ioctl_hdr *)buf) = hdr;
++ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
++ hdr.size_in - sizeof(hdr))) {
+ ret = -EFAULT;
+ goto out;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
