diff --git a/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch b/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch new file mode 100644 index 000000000..ae10a4d1a --- /dev/null +++ b/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch @@ -0,0 +1,47 @@ +From bd23a7269834dc7c1f93e83535d16ebc44b75eba Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Tue, 8 May 2018 08:50:28 -0500 +Subject: [PATCH] virt: vbox: Only copy_from_user the request-header once + +In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from +the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the +'version', 'size_in', and 'size_out' fields of 'hdr' are verified. + +Before this commit, after the checks a buffer for the entire request would +be allocated and then all data including the verified header would be +copied from the userspace 'arg' pointer again. + +Given that the 'arg' pointer resides in userspace, a malicious userspace +process can race to change the data pointed to by 'arg' between the two +copies. By doing so, the user can bypass the verifications on the ioctl +argument. + +This commit fixes this by using the already checked copy of the header +to fill the header part of the allocated buffer and only copying the +remainder of the data from userspace. + +Signed-off-by: Wenwen Wang +Reviewed-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c +index 398d22693234..6e2a9619192d 100644 +--- a/drivers/virt/vboxguest/vboxguest_linux.c ++++ b/drivers/virt/vboxguest/vboxguest_linux.c +@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req, + if (!buf) + return -ENOMEM; + +- if (copy_from_user(buf, (void *)arg, hdr.size_in)) { ++ *((struct vbg_ioctl_hdr *)buf) = hdr; ++ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), ++ hdr.size_in - sizeof(hdr))) { + ret = -EFAULT; + goto out; + } +-- +2.17.1 + diff --git a/kernel.spec b/kernel.spec index 41b03b97c..e785d651f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -651,6 +651,9 @@ Patch509: rtc-nvmem-don-t-return-an-error-when-not-enabled.patch Patch510: 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch +# CVE-2018-12633 rhbz 1594170 1594172 +Patch512: 0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch + # END OF PATCH DEFINITIONS %endif @@ -1900,6 +1903,9 @@ fi # # %changelog +* Fri Jun 22 2018 Justin M. Forbes +- Fix CVE-2018-12633 (rhbz 1594170 1594172) + * Fri Jun 22 2018 Justin M. Forbes - 4.17.2-100 - Linux v4.17.2 rebase