Commit 6fd04652 authored by Hans de Goede's avatar Hans de Goede Committed by Greg Kroah-Hartman

virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace

commit cf4f2ad6 upstream.

Userspace can make host function calls, called hgcm-calls through the
/dev/vboxguest device.

In this case we should not accept all hgcm-function-parameter-types, some
are only valid for in kernel calls.

This commit adds proper hgcm-function-parameter-type validation to the
ioctl for doing a hgcm-call from userspace.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 777d3fa5
...@@ -1298,6 +1298,20 @@ static int vbg_ioctl_hgcm_disconnect(struct vbg_dev *gdev, ...@@ -1298,6 +1298,20 @@ static int vbg_ioctl_hgcm_disconnect(struct vbg_dev *gdev,
return ret; return ret;
} }
static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type)
{
switch (type) {
case VMMDEV_HGCM_PARM_TYPE_32BIT:
case VMMDEV_HGCM_PARM_TYPE_64BIT:
case VMMDEV_HGCM_PARM_TYPE_LINADDR:
case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
return true;
default:
return false;
}
}
static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev, static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
struct vbg_session *session, bool f32bit, struct vbg_session *session, bool f32bit,
struct vbg_ioctl_hgcm_call *call) struct vbg_ioctl_hgcm_call *call)
...@@ -1333,6 +1347,23 @@ static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev, ...@@ -1333,6 +1347,23 @@ static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
} }
call->hdr.size_out = actual_size; call->hdr.size_out = actual_size;
/* Validate parameter types */
if (f32bit) {
struct vmmdev_hgcm_function_parameter32 *parm =
VBG_IOCTL_HGCM_CALL_PARMS32(call);
for (i = 0; i < call->parm_count; i++)
if (!vbg_param_valid(parm[i].type))
return -EINVAL;
} else {
struct vmmdev_hgcm_function_parameter *parm =
VBG_IOCTL_HGCM_CALL_PARMS(call);
for (i = 0; i < call->parm_count; i++)
if (!vbg_param_valid(parm[i].type))
return -EINVAL;
}
/* /*
* Validate the client id. * Validate the client id.
*/ */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment