[PATCH v2] misc: fastrpc: restrict user apps from sending kernel RPC messages

[PATCH v2] misc: fastrpc: restrict user apps from sending kernel RPC messages

[Dmitry Baryshkov]

Verify that user applications are not using the kernel RPC message
handle to restrict them from directly attaching to guest OS on the
remote subsystem. This is a port of CVE-2019-2308 fix.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: Jonathan Marek <jonathan@marek.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
---

Changes since v1:
 - changed to dev_warn_ratelimited to prevent userspace from flooding
   kernel log

 drivers/misc/fastrpc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index f12e909034ac..beda610e6b30 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -950,6 +950,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl,  u32 kernel,
 	if (!fl->cctx->rpdev)
 		return -EPIPE;
 
+	if (handle == FASTRPC_INIT_HANDLE && !kernel) {
+		dev_warn_ratelimited(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n",  handle);
+		return -EPERM;
+	}
+
 	ctx = fastrpc_context_alloc(fl, kernel, sc, args);
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
-- 
2.30.0

Re: [PATCH v2] misc: fastrpc: restrict user apps from sending kernel RPC messages

[Greg Kroah-Hartman]

On Fri, Feb 12, 2021 at 10:26:58PM +0300, Dmitry Baryshkov wrote:
> Verify that user applications are not using the kernel RPC message
> handle to restrict them from directly attaching to guest OS on the
> remote subsystem. This is a port of CVE-2019-2308 fix.

A port of the fix of what to what?

Is this to go only into a stable tree (if so what ones and what is the
id in Linus's tree), or is it to go into Linus's tree like normal (if so
how can this be a port)?

thanks,

greg k-h

Re: [PATCH v2] misc: fastrpc: restrict user apps from sending kernel RPC messages

[Dmitry Baryshkov]

On Sat, 13 Feb 2021 at 11:25, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Fri, Feb 12, 2021 at 10:26:58PM +0300, Dmitry Baryshkov wrote:
> > Verify that user applications are not using the kernel RPC message
> > handle to restrict them from directly attaching to guest OS on the
> > remote subsystem. This is a port of CVE-2019-2308 fix.
>
> A port of the fix of what to what?

I'm sorry for the confusion. It is a port of the original
Qualcomm/CodeAurora fix to the upstream driver.

See https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=cc2e11eeb988964af72309f71b0fb21c11ed6ca9,

> Is this to go only into a stable tree (if so what ones and what is the
> id in Linus's tree), or is it to go into Linus's tree like normal (if so
> how can this be a port)?

It's a port from QCI kernel, not a backport.
So I'd prefer for it to go into Linus's tree (and then be backported
to relevant -stable trees).

-- 
With best wishes
Dmitry

Re: [PATCH v2] misc: fastrpc: restrict user apps from sending kernel RPC messages

[Greg Kroah-Hartman]

On Mon, Mar 01, 2021 at 06:34:10PM +0300, Dmitry Baryshkov wrote:
> On Sat, 13 Feb 2021 at 11:25, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Fri, Feb 12, 2021 at 10:26:58PM +0300, Dmitry Baryshkov wrote:
> > > Verify that user applications are not using the kernel RPC message
> > > handle to restrict them from directly attaching to guest OS on the
> > > remote subsystem. This is a port of CVE-2019-2308 fix.
> >
> > A port of the fix of what to what?
> 
> I'm sorry for the confusion. It is a port of the original
> Qualcomm/CodeAurora fix to the upstream driver.
> 
> See https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=cc2e11eeb988964af72309f71b0fb21c11ed6ca9,

So this is a fix from 2019 that you never submitted upstream causing all
of these kernels to be vulnerable?

Shouldn't the porting process go the other way, upstream first and then
backport?  That ensures we don't end up with 2 years old bugs like this
:(

Ugh.

What's going to change in the development process of this code to
prevent this from happening again?

thanks,

greg k-h

Re: [PATCH v2] misc: fastrpc: restrict user apps from sending kernel RPC messages

[Dmitry Baryshkov]

On Mon, 1 Mar 2021 at 18:48, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Mon, Mar 01, 2021 at 06:34:10PM +0300, Dmitry Baryshkov wrote:
> > On Sat, 13 Feb 2021 at 11:25, Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > >
> > > On Fri, Feb 12, 2021 at 10:26:58PM +0300, Dmitry Baryshkov wrote:
> > > > Verify that user applications are not using the kernel RPC message
> > > > handle to restrict them from directly attaching to guest OS on the
> > > > remote subsystem. This is a port of CVE-2019-2308 fix.
> > >
> > > A port of the fix of what to what?
> >
> > I'm sorry for the confusion. It is a port of the original
> > Qualcomm/CodeAurora fix to the upstream driver.
> >
> > See https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=cc2e11eeb988964af72309f71b0fb21c11ed6ca9,
>
> So this is a fix from 2019 that you never submitted upstream causing all
> of these kernels to be vulnerable?

It seems there is some kind of confusion here.
Srinivas and Thierry have developed the fastrpc driver. It is not the
same as the driver developed by Qualcomm. However in this case it
suffers from the same problem as the original adsprpc driver..
We have submitted the fix as soon as we've noticed the issue.

> Shouldn't the porting process go the other way, upstream first and then
> backport?  That ensures we don't end up with 2 years old bugs like this
> :(
>
> Ugh.
>
> What's going to change in the development process of this code to
> prevent this from happening again?

-- 
With best wishes
Dmitry

Re: [PATCH v2] misc: fastrpc: restrict user apps from sending kernel RPC messages

[Greg Kroah-Hartman]

On Mon, Mar 01, 2021 at 08:45:34PM +0300, Dmitry Baryshkov wrote:
> On Mon, 1 Mar 2021 at 18:48, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Mon, Mar 01, 2021 at 06:34:10PM +0300, Dmitry Baryshkov wrote:
> > > On Sat, 13 Feb 2021 at 11:25, Greg Kroah-Hartman
> > > <gregkh@linuxfoundation.org> wrote:
> > > >
> > > > On Fri, Feb 12, 2021 at 10:26:58PM +0300, Dmitry Baryshkov wrote:
> > > > > Verify that user applications are not using the kernel RPC message
> > > > > handle to restrict them from directly attaching to guest OS on the
> > > > > remote subsystem. This is a port of CVE-2019-2308 fix.
> > > >
> > > > A port of the fix of what to what?
> > >
> > > I'm sorry for the confusion. It is a port of the original
> > > Qualcomm/CodeAurora fix to the upstream driver.
> > >
> > > See https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=cc2e11eeb988964af72309f71b0fb21c11ed6ca9,
> >
> > So this is a fix from 2019 that you never submitted upstream causing all
> > of these kernels to be vulnerable?
> 
> It seems there is some kind of confusion here.
> Srinivas and Thierry have developed the fastrpc driver. It is not the
> same as the driver developed by Qualcomm. However in this case it
> suffers from the same problem as the original adsprpc driver..
> We have submitted the fix as soon as we've noticed the issue.

Ah, that makes more sense, thanks.

So really, it's not the same CVE issue, aren't they fun?  :)

thanks,

greg k-h