When a handle being passed down to VMCIDoorbell_Create() was not initialized

to VMCI_INVALID_HANDLE, a doorbell was being created with context id 0
(hypervisor id) and a large resource id (likely the garbage value in
handle.resource).

On the guest side, modified VMCINotifyHashAddEntry so that if the handle
passed down is not VMCI_INVALID_HANDLE and if the context id of the handle
is not the context id of the VM, VMCI_ERROR_INVALID_ARGS will be returned.

Signed-off-by: Marcelo Vanzin <mvanzin@vmware.com>

diff --git a/open-vm-tools/modules/linux/vmci/vmciNotifications.c b/open-vm-tools/modules/linux/vmci/vmciNotifications.c
index e04f1ce4a4e9070c7292abb93487cb56bf9f4ed9..740fcda224c9b8804a86147d9be38f697e832e22 100644 (file)
--- a/open-vm-tools/modules/linux/vmci/vmciNotifications.c
+++ b/open-vm-tools/modules/linux/vmci/vmciNotifications.c
@@ -257,6 +257,14 @@ VMCINotifyHashAddEntry(VMCINotifyHashEntry *entry) // IN
          goto out;
       }
       entry->handle = newHandle;
+   } else if (VMCI_GetContextID() != entry->handle.context) {
+      /*
+       * The context id passed down should either be invalid or
+       * the context id of the guest.
+       */
+
+      result = VMCI_ERROR_INVALID_ARGS;
+      goto out;
    }
 
    if (VMCINotifyHashFindByHandle(entry->handle, entry->doorbell, &bucket)) {