[x86] virt: vbox: Only copy_from_user the request-header once (CVE-2018-12633)
This commit is contained in:
parent
d6b55c2dde
commit
4eabac8481
|
@ -18,6 +18,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium
|
|||
* ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
|
||||
* socket: close race condition between sock_close() and sockfs_setattr()
|
||||
(CVE-2018-12232)
|
||||
* [x86] virt: vbox: Only copy_from_user the request-header once
|
||||
(CVE-2018-12633)
|
||||
|
||||
[ Romain Perier ]
|
||||
* [x86] Enable DCN 1.0 Raven family (Closes #901349)
|
||||
|
|
43
debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch
vendored
Normal file
43
debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
|||
From: Wenwen Wang <wang6495@umn.edu>
|
||||
Date: Tue, 8 May 2018 08:50:28 -0500
|
||||
Subject: virt: vbox: Only copy_from_user the request-header once
|
||||
Origin: https://git.kernel.org/linus/bd23a7269834dc7c1f93e83535d16ebc44b75eba
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12633
|
||||
|
||||
In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
|
||||
the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
|
||||
'version', 'size_in', and 'size_out' fields of 'hdr' are verified.
|
||||
|
||||
Before this commit, after the checks a buffer for the entire request would
|
||||
be allocated and then all data including the verified header would be
|
||||
copied from the userspace 'arg' pointer again.
|
||||
|
||||
Given that the 'arg' pointer resides in userspace, a malicious userspace
|
||||
process can race to change the data pointed to by 'arg' between the two
|
||||
copies. By doing so, the user can bypass the verifications on the ioctl
|
||||
argument.
|
||||
|
||||
This commit fixes this by using the already checked copy of the header
|
||||
to fill the header part of the allocated buffer and only copying the
|
||||
remainder of the data from userspace.
|
||||
|
||||
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/virt/vboxguest/vboxguest_linux.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/virt/vboxguest/vboxguest_linux.c
|
||||
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
|
||||
@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct
|
||||
if (!buf)
|
||||
return -ENOMEM;
|
||||
|
||||
- if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
|
||||
+ *((struct vbg_ioctl_hdr *)buf) = hdr;
|
||||
+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
|
||||
+ hdr.size_in - sizeof(hdr))) {
|
||||
ret = -EFAULT;
|
||||
goto out;
|
||||
}
|
|
@ -130,6 +130,7 @@ bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch
|
|||
bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch
|
||||
bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch
|
||||
bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch
|
||||
bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue