[PATCH] virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace

[PATCH] virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace

[Hans de Goede]

Userspace can make host function calls, called hgcm-calls through the
/dev/vboxguest device.

In this case we should not accept all hgcm-function-parameter-types, some
are only valid for in kernel calls.

This commit adds proper hgcm-function-parameter-type validation to the
ioctl for doing a hgcm-call from userspace.

Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 drivers/virt/vboxguest/vboxguest_core.c | 31 +++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/drivers/virt/vboxguest/vboxguest_core.c b/drivers/virt/vboxguest/vboxguest_core.c
index 8ca333f21292..2307b0329aec 100644
--- a/drivers/virt/vboxguest/vboxguest_core.c
+++ b/drivers/virt/vboxguest/vboxguest_core.c
@@ -1298,6 +1298,20 @@ static int vbg_ioctl_hgcm_disconnect(struct vbg_dev *gdev,
 	return ret;
 }
 
+static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type)
+{
+	switch (type) {
+	case VMMDEV_HGCM_PARM_TYPE_32BIT:
+	case VMMDEV_HGCM_PARM_TYPE_64BIT:
+	case VMMDEV_HGCM_PARM_TYPE_LINADDR:
+	case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
+	case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
+		return true;
+	default:
+		return false;
+	}
+}
+
 static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
 			       struct vbg_session *session, bool f32bit,
 			       struct vbg_ioctl_hgcm_call *call)
@@ -1333,6 +1347,23 @@ static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
 	}
 	call->hdr.size_out = actual_size;
 
+	/* Validate parameter types */
+	if (f32bit) {
+		struct vmmdev_hgcm_function_parameter32 *parm =
+			VBG_IOCTL_HGCM_CALL_PARMS32(call);
+
+		for (i = 0; i < call->parm_count; i++)
+			if (!vbg_param_valid(parm[i].type))
+				return -EINVAL;
+	} else {
+		struct vmmdev_hgcm_function_parameter *parm =
+			VBG_IOCTL_HGCM_CALL_PARMS(call);
+
+		for (i = 0; i < call->parm_count; i++)
+			if (!vbg_param_valid(parm[i].type))
+				return -EINVAL;
+	}
+
 	/*
 	 * Validate the client id.
 	 */
-- 
2.21.0

Re: [PATCH] virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace

[Hans de Goede]

Hi,

On 05-04-19 16:15, Sasha Levin wrote:
> Hi,
> 
> [This is an automated email]
> 
> This commit has been processed because it contains a -stable tag.
> The stable tag indicates that it's relevant for the following trees: all
> 
> The bot has tested the following trees: v5.0.6, v4.19.33, v4.14.110, v4.9.167, v4.4.178, v3.18.138.
> 
> v5.0.6: Build OK!
> v4.19.33: Build OK!
> v4.14.110: Failed to apply! Possible dependencies:
>      0ba002bc4393 ("virt: Add vboxguest driver for Virtual Box Guest integration")
> 
> v4.9.167: Failed to apply! Possible dependencies:
>      0ba002bc4393 ("virt: Add vboxguest driver for Virtual Box Guest integration")
> 
> v4.4.178: Failed to apply! Possible dependencies:
>      0ba002bc4393 ("virt: Add vboxguest driver for Virtual Box Guest integration")
> 
> v3.18.138: Failed to apply! Possible dependencies:
>      0ba002bc4393 ("virt: Add vboxguest driver for Virtual Box Guest integration")
> 
> 
> How should we proceed with this patch?

4.14 and older do not have the vboxguest driver, so just applying this to 4.19+ is
fine.

Regards,

Hans