Fix CVE-2018-12633 (rhbz 1594170 1594172)
This commit is contained in:
Justin M. Forbes
parent
c9cb169d5e
commit
052e62cec7
@ -0,0 +1,47 @@
|
||||
From bd23a7269834dc7c1f93e83535d16ebc44b75eba Mon Sep 17 00:00:00 2001
|
||||
From: Wenwen Wang <wang6495@umn.edu>
|
||||
Date: Tue, 8 May 2018 08:50:28 -0500
|
||||
Subject: [PATCH] virt: vbox: Only copy_from_user the request-header once
|
||||
|
||||
In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
|
||||
the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
|
||||
'version', 'size_in', and 'size_out' fields of 'hdr' are verified.
|
||||
|
||||
Before this commit, after the checks a buffer for the entire request would
|
||||
be allocated and then all data including the verified header would be
|
||||
copied from the userspace 'arg' pointer again.
|
||||
|
||||
Given that the 'arg' pointer resides in userspace, a malicious userspace
|
||||
process can race to change the data pointed to by 'arg' between the two
|
||||
copies. By doing so, the user can bypass the verifications on the ioctl
|
||||
argument.
|
||||
|
||||
This commit fixes this by using the already checked copy of the header
|
||||
to fill the header part of the allocated buffer and only copying the
|
||||
remainder of the data from userspace.
|
||||
|
||||
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/virt/vboxguest/vboxguest_linux.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c
|
||||
index 398d22693234..6e2a9619192d 100644
|
||||
--- a/drivers/virt/vboxguest/vboxguest_linux.c
|
||||
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
|
||||
@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req,
|
||||
if (!buf)
|
||||
return -ENOMEM;
|
||||
|
||||
- if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
|
||||
+ *((struct vbg_ioctl_hdr *)buf) = hdr;
|
||||
+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
|
||||
+ hdr.size_in - sizeof(hdr))) {
|
||||
ret = -EFAULT;
|
||||
goto out;
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
||||
@ -651,6 +651,9 @@ Patch509: rtc-nvmem-don-t-return-an-error-when-not-enabled.patch
|
||||
Patch510: 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch
|
||||
Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch
|
||||
|
||||
# CVE-2018-12633 rhbz 1594170 1594172
|
||||
Patch512: 0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -1900,6 +1903,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Jun 22 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2018-12633 (rhbz 1594170 1594172)
|
||||
|
||||
* Thu Jun 21 2018 Laura Abbott <labbott@fedoraproject.org>
|
||||
- Fix for Xen MTU issue (rhbz 1584216)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user