Received: by 10.192.165.148 with SMTP id m20csp1714808imm; Sat, 5 May 2018 20:32:50 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq98iRpS1UeEWdFq7CDscr+pby663ZJiZYQR+YkFw1dM8OxfRY43pOgSm/fVwXGtXd+4gW8 X-Received: by 2002:a65:4e03:: with SMTP id r3-v6mr27017341pgt.121.1525577570740; Sat, 05 May 2018 20:32:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525577570; cv=none; d=google.com; s=arc-20160816; b=Ga9vrZbJFACbSnqaivHNaCwTaoYh5A2YAygDRhGFaVLLRqOPYOZIvRekNNjGRcSeSz agm9+ppHPtt13LTR4gJqU5qKrYcZA4ywkkwn8uBAe9lculv9lK6//QsbshrPpX0DZep9 WWx32kSNHsIclHcsvZrZ8rWC04RLyoUXw4q+2lpSgS1qHO30ub+3IC5nWtlctRjZmGzE bjuFfFVA4gGCayznn7gic41AGL39MTENSpZyt73s+5R7I+YxYtct4tPbD4zDpHeWsRcG t6Yhl4/HV0WPzRy5oJX4ZQ+/DPjGFTmdUjwPTprcMPlGGvd7nBa5xx0otr52KXfY+qtV iuCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=evrrSeJQ4sykfcq0JHD1ZoeY1zQJNjWnpj7xP0w862o=; b=0IvwV+J3j13RS6T8QaXPo1XummEsTP1RX6HCK9ZJJWxAwaE9Y5LNPGqOwcC1x1gwjG Fz8DCXt9zObm/2BdyhooFnxHbcjj/f5J+1QX6L4ispyv8nEZgNQE9buF25dB4+D7m2wO RlNpyJaXK8gQamRxKQ3Tf24vB73SjeirHlhVaOrvcXNLM1Swo3j6e9RypqBbm5Y1u3eV 6ZDbaQyi1JxLEWCNznuUSUQc+UJb3bhVvNxZ7vZaBegodAYX/5FgFYMQ6tcSt6Qjvy7W weluwpRvuUHgvfhlsjLWKesXSBUwtvi5S74WzP03Gja2Rm73WsDCo1Er//+r24WgpUCX LLsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=nyYObmF3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c3si16642781pfn.245.2018.05.05.20.32.28; Sat, 05 May 2018 20:32:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=nyYObmF3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751940AbeEFDbE (ORCPT + 99 others); Sat, 5 May 2018 23:31:04 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:55310 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751833AbeEFDbB (ORCPT ); Sat, 5 May 2018 23:31:01 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 17811B0B for ; Sun, 6 May 2018 03:31:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JuGrI53MmMS0 for ; Sat, 5 May 2018 22:31:00 -0500 (CDT) Received: from mail-io0-f197.google.com (mail-io0-f197.google.com [209.85.223.197]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id DF655AEE for ; Sat, 5 May 2018 22:31:00 -0500 (CDT) Received: by mail-io0-f197.google.com with SMTP id n21-v6so18756930iob.17 for ; Sat, 05 May 2018 20:31:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=evrrSeJQ4sykfcq0JHD1ZoeY1zQJNjWnpj7xP0w862o=; b=nyYObmF3UN61FbDv/9qGQthPux83kJG5zxg3EH3jKDDT1N5ymyMNN224Bm8S4iKsEP U1yy6CgCfMQEt7SRcdLFoh3StzgriDd3NJgRE0GYkwMw/RCdkSKdMHtfzO2d0YyJNZt3 R2h/EHGu9Q1ncUzwCZ0MxHFW/tTnsPEKCga3BPi6v5kyzvaDmQGxYaJs4NSGnNi8XBR+ KTmPmG5bOYBITnWxxmSd+ZNlEv3E7GetS1rl6o4tplUg3lyBLmwjZE2QypxHfKWVTHu9 K7JE93JWDCKOHY9Scamfjpl2NB2lMqz3vNmfiyjoQETB5nng3u587GjoPZJZox5oCwYi LDWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=evrrSeJQ4sykfcq0JHD1ZoeY1zQJNjWnpj7xP0w862o=; b=kyTetmWbPLiEBKJiKFmGFBkdjnMx96uMQgBh9517Y5IY8aBvNtE7Ny+q8+rBXOZQ1e 2lXE9wbeTXbvYtLg2Nx6SCcSOLT9tdAQXETEuGlX9TBkh+8zANGGAmpEm2gUyXz+VtZr IpmLME/37TPPdhpSx3kTSIqDLdCUVbK5fr4IXU/x1YxEbctnlymRJnk1KdTwtTREN6Ng K0zXh7fd5RzEJseDud9NCdfNi98sqEW7SdhwjX4wnpWtqbnTJzrnjH8WswHhmMoDgZpJ iX+KLSRYoxsrhwi3A235qfZ+zTO56tGcQFeTtskmmNIgdlb3SHvs++r5Xb/Wwcw4cb/0 /OTQ== X-Gm-Message-State: ALQs6tCbTc60WmnOrba0MlIQMpnPoVdBztp/K/E0gpsUOTeBuEpkQmDI +CKmcrRNab86LK4Sver6y6HOOwjLaFE+7/1j9E4ysp4Dfj7kmMFWGJfMrx3Tje2ToHcxNVMWuEA WS0OIDayJGw0AedIT5wbflKFpDt+U X-Received: by 2002:a6b:9652:: with SMTP id y79-v6mr28987373iod.171.1525577460527; Sat, 05 May 2018 20:31:00 -0700 (PDT) X-Received: by 2002:a6b:9652:: with SMTP id y79-v6mr28987368iod.171.1525577460362; Sat, 05 May 2018 20:31:00 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id v128-v6sm2631705itg.14.2018.05.05.20.30.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 20:30:59 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Hans de Goede , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org (open list) Subject: [PATCH] virt: vbox: fix a missing-check bug Date: Sat, 5 May 2018 22:30:48 -0500 Message-Id: <1525577448-16071-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the 'version', 'size_in', and 'size_out' fields of 'hdr' are verified. For example, if 'hdr.version' is not VBG_IOCTL_HDR_VERSION, an error code -EINVAL will be returned. If 'hdr' can pass all verifications, the whole structure of the ioctl argument is copied once again from 'arg' and saved to 'buf'. Then the function vbg_core_ioctl() is invoked to execute the ioctl command. Given that the 'arg' pointer resides in userspace, a malicious userspace process can race to change the data pointed to by 'arg' between the two copies. By doing so, the user can bypass the verifications on the ioctl argument, which can cause vbg_core_ioctl() to work on unsecure data because it assumes the 'version', 'size_in', and 'size_out' have been verified by vbg_misc_device_ioctl(), as mentioned in the comment in vbg_core_ioctl(): /* * hdr->version and hdr->size_in / hdr->size_out minimum size are * already checked by vbg_misc_device_ioctl(). */ This patch adds checks after the second copy to ensure the consistency between the data obtained in the two copies. In case an inconsistency is detected, an error code -EINVAL will be returned. Signed-off-by: Wenwen Wang --- drivers/virt/vboxguest/vboxguest_linux.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c index 398d226..6b525259 100644 --- a/drivers/virt/vboxguest/vboxguest_linux.c +++ b/drivers/virt/vboxguest/vboxguest_linux.c @@ -125,6 +125,12 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req, ret = -EFAULT; goto out; } + if (((struct vbg_ioctl_hdr *)buf)->version != hdr.version || + ((struct vbg_ioctl_hdr *)buf)->size_in != hdr.size_in || + ((struct vbg_ioctl_hdr *)buf)->size_out != hdr.size_out) { + ret = -EINVAL; + goto out; + } if (hdr.size_in < size) memset(buf + hdr.size_in, 0, size - hdr.size_in); @@ -133,11 +139,6 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req, goto out; returned_size = ((struct vbg_ioctl_hdr *)buf)->size_out; - if (returned_size > size) { - vbg_debug("%s: too much output data %zu > %zu\n", - __func__, returned_size, size); - returned_size = size; - } if (copy_to_user((void *)arg, buf, returned_size) != 0) ret = -EFAULT; -- 2.7.4