tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace

Userspace can make host function calls, called hgcm-calls through the
/dev/vboxguest device.

In this case we should not accept all hgcm-function-parameter-types, some
are only valid for in kernel calls.

This commit adds proper hgcm-function-parameter-type validation to the
ioctl for doing a hgcm-call from userspace.

Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Hans de Goede and committed by
Greg Kroah-Hartman cf4f2ad6 0b050950

+31
+31
drivers/virt/vboxguest/vboxguest_core.c
··· 1298 1298 return ret; 1299 1299 } 1300 1300 1301 + static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type) 1302 + { 1303 + switch (type) { 1304 + case VMMDEV_HGCM_PARM_TYPE_32BIT: 1305 + case VMMDEV_HGCM_PARM_TYPE_64BIT: 1306 + case VMMDEV_HGCM_PARM_TYPE_LINADDR: 1307 + case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN: 1308 + case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT: 1309 + return true; 1310 + default: 1311 + return false; 1312 + } 1313 + } 1314 + 1301 1315 static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev, 1302 1316 struct vbg_session *session, bool f32bit, 1303 1317 struct vbg_ioctl_hgcm_call *call) ··· 1346 1332 return -EINVAL; 1347 1333 } 1348 1334 call->hdr.size_out = actual_size; 1335 + 1336 + /* Validate parameter types */ 1337 + if (f32bit) { 1338 + struct vmmdev_hgcm_function_parameter32 *parm = 1339 + VBG_IOCTL_HGCM_CALL_PARMS32(call); 1340 + 1341 + for (i = 0; i < call->parm_count; i++) 1342 + if (!vbg_param_valid(parm[i].type)) 1343 + return -EINVAL; 1344 + } else { 1345 + struct vmmdev_hgcm_function_parameter *parm = 1346 + VBG_IOCTL_HGCM_CALL_PARMS(call); 1347 + 1348 + for (i = 0; i < call->parm_count; i++) 1349 + if (!vbg_param_valid(parm[i].type)) 1350 + return -EINVAL; 1351 + } 1349 1352 1350 1353 /* 1351 1354 * Validate the client id.