diff options
| author | Hans de Goede <hdegoede@redhat.com> | 2019-04-04 14:39:09 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-05-16 19:41:18 +0200 |
| commit | 4c416eef65a7ef2a897132b843e9900a18afde8d (patch) | |
| tree | 6cd66890a235b0408b6d35e416c0865166658e9c | |
| parent | e361ccccdd51f45a2d54f6454192acda06cb2598 (diff) | |
virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace
commit cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 upstream.
Userspace can make host function calls, called hgcm-calls through the
/dev/vboxguest device.
In this case we should not accept all hgcm-function-parameter-types, some
are only valid for in kernel calls.
This commit adds proper hgcm-function-parameter-type validation to the
ioctl for doing a hgcm-call from userspace.
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/virt/vboxguest/vboxguest_core.c | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/drivers/virt/vboxguest/vboxguest_core.c b/drivers/virt/vboxguest/vboxguest_core.c index 1475ed5ffcde..0afef60d0638 100644 --- a/drivers/virt/vboxguest/vboxguest_core.c +++ b/drivers/virt/vboxguest/vboxguest_core.c @@ -1263,6 +1263,20 @@ static int vbg_ioctl_hgcm_disconnect(struct vbg_dev *gdev, return ret; } +static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type) +{ + switch (type) { + case VMMDEV_HGCM_PARM_TYPE_32BIT: + case VMMDEV_HGCM_PARM_TYPE_64BIT: + case VMMDEV_HGCM_PARM_TYPE_LINADDR: + case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN: + case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT: + return true; + default: + return false; + } +} + static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev, struct vbg_session *session, bool f32bit, struct vbg_ioctl_hgcm_call *call) @@ -1298,6 +1312,23 @@ static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev, } call->hdr.size_out = actual_size; + /* Validate parameter types */ + if (f32bit) { + struct vmmdev_hgcm_function_parameter32 *parm = + VBG_IOCTL_HGCM_CALL_PARMS32(call); + + for (i = 0; i < call->parm_count; i++) + if (!vbg_param_valid(parm[i].type)) + return -EINVAL; + } else { + struct vmmdev_hgcm_function_parameter *parm = + VBG_IOCTL_HGCM_CALL_PARMS(call); + + for (i = 0; i < call->parm_count; i++) + if (!vbg_param_valid(parm[i].type)) + return -EINVAL; + } + /* * Validate the client id. */ |