debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

[x86] virt: vbox: Only copy_from_user the request-header once (CVE-2018-12633)

This commit is contained in:
Ben Hutchings 2018-06-26 00:25:31 +01:00
parent d6b55c2dde
commit 4eabac8481
3 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/changelog vendored
View File

@ -18,6 +18,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium
* ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
* socket: close race condition between sock_close() and sockfs_setattr()
(CVE-2018-12232)
* [x86] virt: vbox: Only copy_from_user the request-header once
(CVE-2018-12633)
[ Romain Perier ]
* [x86] Enable DCN 1.0 Raven family (Closes #901349)

43
debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch vendored Normal file
View File

@ -0,0 +1,43 @@
From: Wenwen Wang <wang6495@umn.edu>
Date: Tue, 8 May 2018 08:50:28 -0500
Subject: virt: vbox: Only copy_from_user the request-header once
Origin: https://git.kernel.org/linus/bd23a7269834dc7c1f93e83535d16ebc44b75eba
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12633
In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
'version', 'size_in', and 'size_out' fields of 'hdr' are verified.
Before this commit, after the checks a buffer for the entire request would
be allocated and then all data including the verified header would be
copied from the userspace 'arg' pointer again.
Given that the 'arg' pointer resides in userspace, a malicious userspace
process can race to change the data pointed to by 'arg' between the two
copies. By doing so, the user can bypass the verifications on the ioctl
argument.
This commit fixes this by using the already checked copy of the header
to fill the header part of the allocated buffer and only copying the
remainder of the data from userspace.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/virt/vboxguest/vboxguest_linux.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/virt/vboxguest/vboxguest_linux.c
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct
if (!buf)
return -ENOMEM;
- if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
+ *((struct vbg_ioctl_hdr *)buf) = hdr;
+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
+ hdr.size_in - sizeof(hdr))) {
ret = -EFAULT;
goto out;
}

1
debian/patches/series vendored
View File

@ -130,6 +130,7 @@ bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch
bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch
bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch
bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch