Received: by 10.192.165.148 with SMTP id m20csp4330819imm; Tue, 8 May 2018 06:52:18 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpx6Q4gtPhlyTt5bu1+MDkPjjk8OhUVH61J2pFWjAN8Pcg86k0q+a9kpwPmJsUJfHBA33Ks X-Received: by 2002:a17:902:28ab:: with SMTP id f40-v6mr41630353plb.208.1525787538742; Tue, 08 May 2018 06:52:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525787538; cv=none; d=google.com; s=arc-20160816; b=hTrAfj5ZJhyy13KFKW71q1Dn8H/4PAC9U/0fU+MBe6J8T2fVMVhPjBTQD1A8AGpDr9 yOROWokokHjp7ukrIpB7+yHqPVRpBkRNDLAfsO08Jh9f3CpE6uDQf0gG6EToesld8dfz RRduji/aqenvLUP81Am1udyDGemhGMUCOYVqUs7qNeMx3+hkxsvrT5ZXf2AmZH6llIZ8 XnoaYS0xDQL4h5yre74Sxwz6I+s86MLeqjAtiiIbR9KBVr8obIRbCZe7hxzaAufgVIcT mNohTtt411cnxcnamSqTdJclHwRJmhISCkASExfelpRrDsRY3CBZDJBsSQDOvf3BTw6U Suug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=kiz8c+ExNsAGbvDZiZj8YkmGnYHW8MAJoa6rB1Az0+Y=; b=yW7W5sjeGUeS2OjuhhS2BiICBBnVA1SK77h/CQ93fq0YiTWl0HW/LFl4QXP+FXuoUb AIBZIs5rneaaVpQWp6eovHf6wZmen2gXTCuj/wwruBG6nlY4WqWvBT/ccFKL9qRh4PX6 /RxKty+QUdNFLyWk/ALlw8CHfOdVI+McZEs44l9KpUCmk1tkZ8oXPmRhW92c5/puNTRl ONayaf9Lw5nWvHSPHzcWbGqyo8RoS2IW4cEqJwwBwZv8vkw0YlmLcUtfQiDJa4ce6Kig 8cGFsHSp4rY8i+/RDMF9Qw6QclRLMr3WeglzyCLZIcx1XNhQNJtSaRKdL5paqYocDdkr wjxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=diB3HwbA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n136si24331926pfd.312.2018.05.08.06.52.03; Tue, 08 May 2018 06:52:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=diB3HwbA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755074AbeEHNun (ORCPT + 99 others); Tue, 8 May 2018 09:50:43 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:55856 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751723AbeEHNul (ORCPT ); Tue, 8 May 2018 09:50:41 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id D15CC6F7 for ; Tue, 8 May 2018 13:50:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpI8rlYeze5u for ; Tue, 8 May 2018 08:50:40 -0500 (CDT) Received: from mail-it0-f69.google.com (mail-it0-f69.google.com [209.85.214.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id AB1839B0 for ; Tue, 8 May 2018 08:50:40 -0500 (CDT) Received: by mail-it0-f69.google.com with SMTP id c82-v6so10327650itg.1 for ; Tue, 08 May 2018 06:50:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=kiz8c+ExNsAGbvDZiZj8YkmGnYHW8MAJoa6rB1Az0+Y=; b=diB3HwbAEpYPgK1ttuWfkWlFgGuXmMydG3pBf5S2Z5obSIt9v4sQaRB7rJuWUrgNKR 4IkeskAtISP/2xlKLjZ8jIaACoOo9DrzG1ePCBUFY7fzki5VoW953WNcuBXEAvOWDFEJ 0yh/ut+fP5unexWoPCfARAh6lCSPG+jpl3SIf8XGmKUATt22OUx05Oe/gFH6jfA9rb4i BCBzPbZD/eGKlTMwcuHECqJdh/fLfQAkTQ9LJFsXfK35BGYxQ5EN+D9AgEF+c1DxbDWq QcWdsJMl89scoSblK2rCjaaD1LOq3VNbvlI82+CV2Q4sdiN36iPEXtnT1kWmEmrJcLqQ LH1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=kiz8c+ExNsAGbvDZiZj8YkmGnYHW8MAJoa6rB1Az0+Y=; b=rAYcnc8lCdatSE0w2b0tIlzsFuSRjngBkYQ8Xi1XammMoKvzxzNEorcWtFcBMVqBz2 H2UM9LepSTUjdHq1XD4cnxI/k9oVx01k20bve+dVj4txFuYJ6hP/N6ZOVPvrBEnrnpky MQdIXJ4iXfHW9ljWz05x/X68pgy+MoiH14ZzEaecFgDfKJnbFIR43AC3hT8T5R+PaW9d pZS37zHfuIAAOnwFleqilXQvVyTw7T9s5IQUp3+HgOdQTwVs4UnprxNszpW1rE+3ciwg n0hTnnfXuTkClmxFaG5P19SvFqt+EaVnxNGjmdPvLWUbKnkFpRx3aUdrRIWR9O1EMydb bnCg== X-Gm-Message-State: ALKqPwf3bWV4mtDLG7X1qw4OF0kC7qUOMgW98Z3iT0/Rb1GXQSesJX3+ 3gST6E2OSLodA7GIOoCCO8QBhE4EhXFhsVQZCiEIiMOm0s6+M3Qz7s2YlI9+MBcFwWvAKufRSVM dMEHcFCjmcx1eMnNx9NxDeDbhxhdV X-Received: by 2002:a6b:f00d:: with SMTP id w13-v6mr1453048ioc.296.1525787440360; Tue, 08 May 2018 06:50:40 -0700 (PDT) X-Received: by 2002:a6b:f00d:: with SMTP id w13-v6mr1453028ioc.296.1525787440148; Tue, 08 May 2018 06:50:40 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id k62-v6sm12564685ioo.23.2018.05.08.06.50.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 08 May 2018 06:50:39 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Hans de Goede , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2] virt: vbox: Only copy_from_user the request-header once Date: Tue, 8 May 2018 08:50:28 -0500 Message-Id: <1525787428-26702-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the 'version', 'size_in', and 'size_out' fields of 'hdr' are verified. Before this commit, after the checks a buffer for the entire request would be allocated and then all data including the verified header would be copied from the userspace 'arg' pointer again. Given that the 'arg' pointer resides in userspace, a malicious userspace process can race to change the data pointed to by 'arg' between the two copies. By doing so, the user can bypass the verifications on the ioctl argument. This commit fixes this by using the already checked copy of the header to fill the header part of the allocated buffer and only copying the remainder of the data from userspace. Signed-off-by: Wenwen Wang --- drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c index 398d226..6e2a961 100644 --- a/drivers/virt/vboxguest/vboxguest_linux.c +++ b/drivers/virt/vboxguest/vboxguest_linux.c @@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req, if (!buf) return -ENOMEM; - if (copy_from_user(buf, (void *)arg, hdr.size_in)) { + *((struct vbg_ioctl_hdr *)buf) = hdr; + if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), + hdr.size_in - sizeof(hdr))) { ret = -EFAULT; goto out; } -- 2.7.4