From patchwork Thu Feb 11 23:37:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Baryshkov X-Patchwork-Id: 381056 Delivered-To: patch@linaro.org Received: by 2002:a02:b18a:0:0:0:0:0 with SMTP id t10csp2490190jah; Thu, 11 Feb 2021 15:38:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJxFbXsXhavaJ84WY2s8h/D+GMdvy1jr/gDYZgNtMvvQ8jmNMZOP80+CLvG2JMIeTu0Fyni9 X-Received: by 2002:a05:6402:438d:: with SMTP id o13mr550113edc.135.1613086712309; Thu, 11 Feb 2021 15:38:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613086712; cv=none; d=google.com; s=arc-20160816; b=HrPaXPoSU6b5alEA7gdvdHdByYcVjDkpUlhCkydUpt10ywq+9by6rAJBKsMq+b+uuw 0R63Mv3ffL727kWWBrDX11nCu3bQW8I+/3MhZcXLr2rWDskNzdEE2dAsQeh7wvPBLa+S cy1+FfkcEivxuv6TUFlteVh5h3hCNq4zgsYytm5vd6xbnq9G+q/g8/7YHph7HJdf/aAV JpyZMf3ZkhtpbUsyByZKbFMkNK+s4iniERMYOLQpi+3UZjJC9PRvmagJxqNowdsOEYQz BKrg6CMuGiFRNP/7l+8HaqDOIAO7IbYe0jG/ZYzt69CXrfewlOjq6Uc031oBPa9hgTlo hClA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=PQt3LtjMxlLrDBFlFs74GefgM1f05/4UnGbrnfvm1XM=; b=FdZ/EdiExX/nLIQTDOjNuigj4ARIbRmtn1LBcIvG11lN4JSVyAnLLjS+j80gJLwTrn VEXBAjdZ+10Zll8zkUrvr1QvbV2HX8Xj6diHc4Nk/skqpk4zPZy/9/6yZGAk1nGNdf+W 4v2jWl5IVP8YYTsOiiwjEhEcrcnqQ8Vwf5X/3C23zMkW5JmeEJGywlHF72qBkucR0xLR oPMz4ZASCXOr9ik689QrVT0vYNBp1bZW2ah3lYXf3vUC3jQsf8n6lpQS3NX6uGlWjl6C T0DUHhJklCPnrFyhaTFGAcsTG6h/QNLU+Fw+ALSB3hyCMM+ujiiWo7vUN5/DXqGvIZ6w DXiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZvDwYGn8; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn4si5546993ejc.686.2021.02.11.15.38.31; Thu, 11 Feb 2021 15:38:32 -0800 (PST) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZvDwYGn8; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230260AbhBKXia (ORCPT + 13 others); Thu, 11 Feb 2021 18:38:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44926 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229700AbhBKXi2 (ORCPT ); Thu, 11 Feb 2021 18:38:28 -0500 Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4AFABC061574 for ; Thu, 11 Feb 2021 15:37:48 -0800 (PST) Received: by mail-lf1-x12e.google.com with SMTP id m22so10697351lfg.5 for ; Thu, 11 Feb 2021 15:37:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=PQt3LtjMxlLrDBFlFs74GefgM1f05/4UnGbrnfvm1XM=; b=ZvDwYGn8v/+dLjoO7L81ILFaDoWFVlqy9aOiY1lJH4XgHN8bBb4xAC1EGU5h1cQsA3 9QyfySwzEvv+UTkLIjD/CRmJgEMJmBmWPFOfz1HlYzj8LDys/Mev47SoWAO9KlAPyAe+ f+QS9bjOL9yNmxVIYljq00V+946ezqmY8c1gfRWNCDJTuxL8LSwHh/cLfHvoVQSsjLtT 01wNPTMj+HBpNqiYbiz+u4YeEt1vREIM5HiQdIB0EF+XrYxhIyiGIpexWilQDzXs/xYM R+8f13gm0mthhtshOszwiPWarEBn5jhoHlRfxBrKz8VzUQOa9Sz2mNXTwS5rp2YuX/zE PCtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=PQt3LtjMxlLrDBFlFs74GefgM1f05/4UnGbrnfvm1XM=; b=iQjzAX0AWZPNQIT6Nzg+S7T+m+ZIUzxPOewWSaoCENRf692PAKtFRyhQkGQ0UgD38T 808o76ke8Yi+JeQV3OH7BKU9yNV5b6majNHfc4E8WnIZmLKSK5bwPQOPP9Nl4h71iPv3 4OJCDdXTYoW0RhnLqSF5jKvcne8b7vZRLQMV5Ryy40ZYzeCrH+LDDgNJqco2X5U+AbXV 9IQ5jJd/GSLqWzs/glhq+4Fg5aPJcaXXSlJl+V527CpmibuN26mNrGs++CnxrJctkPfr pgwWUn7k9c6ki1wE27jga+LTtB/yXA+G0lajRneoUp/kyd33pedxSnmuhrcvaxcwqm4H kAwQ== X-Gm-Message-State: AOAM530lncgN/r3+6nrwNMdHtRhC0xk+K7Xjy4AJewVmfPpwqm8d69w6 ne9YMIvOKCy4DEBGzv0wo/urpg== X-Received: by 2002:ac2:5f16:: with SMTP id 22mr173573lfq.207.1613086666766; Thu, 11 Feb 2021 15:37:46 -0800 (PST) Received: from localhost.localdomain ([188.162.64.15]) by smtp.gmail.com with ESMTPSA id b14sm763607lji.120.2021.02.11.15.37.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Feb 2021 15:37:46 -0800 (PST) From: Dmitry Baryshkov To: Arnd Bergmann , Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, Srinivas Kandagatla , Jonathan Marek , stable@vger.kernel.org Subject: [PATCH] misc: fastrpc: restrict user apps from sending kernel RPC messages Date: Fri, 12 Feb 2021 02:37:44 +0300 Message-Id: <20210211233744.3348384-1-dmitry.baryshkov@linaro.org> X-Mailer: git-send-email 2.30.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Verify that user applications are not using the kernel RPC message handle to restrict them from directly attaching to guest OS on the remote subsystem. This is a port of CVE-2019-2308 fix. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: Srinivas Kandagatla Cc: Jonathan Marek Cc: stable@vger.kernel.org Signed-off-by: Dmitry Baryshkov --- drivers/misc/fastrpc.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.30.0 diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 815d01f785df..e7f3a22fdaa3 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -948,6 +948,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel, if (!fl->cctx->rpdev) return -EPIPE; + if (handle == FASTRPC_INIT_HANDLE && !kernel) { + dev_warn(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n", handle); + return -EPERM; + } + ctx = fastrpc_context_alloc(fl, kernel, sc, args); if (IS_ERR(ctx)) return PTR_ERR(ctx);