From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 1 Apr 2019 10:28:03 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.138~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3da7d9747ecea4c0051e92dfb0962cd5534998c;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch
---

diff --git a/queue-3.18/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch b/queue-3.18/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch
new file mode 100644
index 00000000000..14cfbcb3235
--- /dev/null
+++ b/queue-3.18/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch
@@ -0,0 +1,78 @@
+From ddba91801aeb5c160b660caed1800eb3aef403f8 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Fri, 15 Feb 2019 12:48:39 -0800
+Subject: KVM: Reject device ioctls from processes other than the VM's creator
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit ddba91801aeb5c160b660caed1800eb3aef403f8 upstream.
+
+KVM's API requires thats ioctls must be issued from the same process
+that created the VM.  In other words, userspace can play games with a
+VM's file descriptors, e.g. fork(), SCM_RIGHTS, etc..., but only the
+creator can do anything useful.  Explicitly reject device ioctls that
+are issued by a process other than the VM's creator, and update KVM's
+API documentation to extend its requirements to device ioctls.
+
+Fixes: 852b6d57dc7f ("kvm: add device control API")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/virtual/kvm/api.txt |   16 +++++++++++-----
+ virt/kvm/kvm_main.c               |    3 +++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/Documentation/virtual/kvm/api.txt
++++ b/Documentation/virtual/kvm/api.txt
+@@ -13,7 +13,7 @@ of a virtual machine.  The ioctls belong
+ 
+  - VM ioctls: These query and set attributes that affect an entire virtual
+    machine, for example memory layout.  In addition a VM ioctl is used to
+-   create virtual cpus (vcpus).
++   create virtual cpus (vcpus) and devices.
+ 
+    Only run VM ioctls from the same process (address space) that was used
+    to create the VM.
+@@ -24,6 +24,11 @@ of a virtual machine.  The ioctls belong
+    Only run vcpu ioctls from the same thread that was used to create the
+    vcpu.
+ 
++ - device ioctls: These query and set attributes that control the operation
++   of a single device.
++
++   device ioctls must be issued from the same process (address space) that
++   was used to create the VM.
+ 
+ 2. File descriptors
+ -------------------
+@@ -32,10 +37,11 @@ The kvm API is centered around file desc
+ open("/dev/kvm") obtains a handle to the kvm subsystem; this handle
+ can be used to issue system ioctls.  A KVM_CREATE_VM ioctl on this
+ handle will create a VM file descriptor which can be used to issue VM
+-ioctls.  A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu
+-and return a file descriptor pointing to it.  Finally, ioctls on a vcpu
+-fd can be used to control the vcpu, including the important task of
+-actually running guest code.
++ioctls.  A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will
++create a virtual cpu or device and return a file descriptor pointing to
++the new resource.  Finally, ioctls on a vcpu or device fd can be used
++to control the vcpu or device.  For vcpus, this includes the important
++task of actually running guest code.
+ 
+ In general file descriptors can be migrated among processes by means
+ of fork() and the SCM_RIGHTS facility of unix domain socket.  These
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2298,6 +2298,9 @@ static long kvm_device_ioctl(struct file
+ {
+ 	struct kvm_device *dev = filp->private_data;
+ 
++	if (dev->kvm->mm != current->mm)
++		return -EIO;
++
+ 	switch (ioctl) {
+ 	case KVM_SET_DEVICE_ATTR:
+ 		return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg);
diff --git a/queue-3.18/series b/queue-3.18/series
index 75b1e5e3cc1..7cd8d2a4914 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -44,3 +44,4 @@ usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error-path.patch
 disable-kgdboc-failed-by-echo-space-to-sys-module-kgdboc-parameters-kgdboc.patch
 fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch
 gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch
+kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch