diff mbox series

misc: fastrpc: restrict user apps from sending kernel RPC messages

Message ID 20210211233744.3348384-1-dmitry.baryshkov@linaro.org
State Superseded
Headers show
Series misc: fastrpc: restrict user apps from sending kernel RPC messages | expand

Commit Message

Dmitry Baryshkov Feb. 11, 2021, 11:37 p.m. UTC 
Verify that user applications are not using the kernel RPC message
handle to restrict them from directly attaching to guest OS on the
remote subsystem. This is a port of CVE-2019-2308 fix.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: Jonathan Marek <jonathan@marek.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

---
 drivers/misc/fastrpc.c | 5 +++++
 1 file changed, 5 insertions(+)

-- 
2.30.0

Comments

Randy Dunlap Feb. 11, 2021, 11:40 p.m. UTC | #1 
On 2/11/21 3:37 PM, Dmitry Baryshkov wrote:
> Verify that user applications are not using the kernel RPC message

> handle to restrict them from directly attaching to guest OS on the

> remote subsystem. This is a port of CVE-2019-2308 fix.

> 

> Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")

> Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

> Cc: Jonathan Marek <jonathan@marek.ca>

> Cc: stable@vger.kernel.org

> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

> ---

>  drivers/misc/fastrpc.c | 5 +++++

>  1 file changed, 5 insertions(+)

> 

> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c

> index 815d01f785df..e7f3a22fdaa3 100644

> --- a/drivers/misc/fastrpc.c

> +++ b/drivers/misc/fastrpc.c

> @@ -948,6 +948,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl,  u32 kernel,

>  	if (!fl->cctx->rpdev)

>  		return -EPIPE;

>  

> +	if (handle == FASTRPC_INIT_HANDLE && !kernel) {

> +		dev_warn(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n",  handle);


rate limit so that userspace cannot flood kernel log?

> +		return -EPERM;

> +	}

> +

>  	ctx = fastrpc_context_alloc(fl, kernel, sc, args);

>  	if (IS_ERR(ctx))

>  		return PTR_ERR(ctx);

> 



-- 
~Randy
diff mbox series

Patch

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 815d01f785df..e7f3a22fdaa3 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -948,6 +948,11 @@  static int fastrpc_internal_invoke(struct fastrpc_user *fl,  u32 kernel,
 	if (!fl->cctx->rpdev)
 		return -EPIPE;
 
+	if (handle == FASTRPC_INIT_HANDLE && !kernel) {
+		dev_warn(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n",  handle);
+		return -EPERM;
+	}
+
 	ctx = fastrpc_context_alloc(fl, kernel, sc, args);
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);