From 4eabac8481070640376e52af27ba12a4a80a5fb0 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 26 Jun 2018 00:25:31 +0100 Subject: [PATCH] [x86] virt: vbox: Only copy_from_user the request-header once (CVE-2018-12633) --- debian/changelog | 2 + ...opy_from_user-the-request-header-onc.patch | 43 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 46 insertions(+) create mode 100644 debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch diff --git a/debian/changelog b/debian/changelog index b61c693fe..4a23ffd45 100644 --- a/debian/changelog +++ b/debian/changelog @@ -18,6 +18,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() * socket: close race condition between sock_close() and sockfs_setattr() (CVE-2018-12232) + * [x86] virt: vbox: Only copy_from_user the request-header once + (CVE-2018-12633) [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch b/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch new file mode 100644 index 000000000..4f4db6fe2 --- /dev/null +++ b/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch @@ -0,0 +1,43 @@ +From: Wenwen Wang +Date: Tue, 8 May 2018 08:50:28 -0500 +Subject: virt: vbox: Only copy_from_user the request-header once +Origin: https://git.kernel.org/linus/bd23a7269834dc7c1f93e83535d16ebc44b75eba +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12633 + +In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from +the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the +'version', 'size_in', and 'size_out' fields of 'hdr' are verified. + +Before this commit, after the checks a buffer for the entire request would +be allocated and then all data including the verified header would be +copied from the userspace 'arg' pointer again. + +Given that the 'arg' pointer resides in userspace, a malicious userspace +process can race to change the data pointed to by 'arg' between the two +copies. By doing so, the user can bypass the verifications on the ioctl +argument. + +This commit fixes this by using the already checked copy of the header +to fill the header part of the allocated buffer and only copying the +remainder of the data from userspace. + +Signed-off-by: Wenwen Wang +Reviewed-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/virt/vboxguest/vboxguest_linux.c ++++ b/drivers/virt/vboxguest/vboxguest_linux.c +@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct + if (!buf) + return -ENOMEM; + +- if (copy_from_user(buf, (void *)arg, hdr.size_in)) { ++ *((struct vbg_ioctl_hdr *)buf) = hdr; ++ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), ++ hdr.size_in - sizeof(hdr))) { + ret = -EFAULT; + goto out; + } diff --git a/debian/patches/series b/debian/patches/series index d55902246..c1793b83e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -130,6 +130,7 @@ bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch +bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch