| Message ID | 20210408203230.28937-2-tim.gardner@canonical.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Focal:linux-oem-5.6,Groovy:linux] misc: fastrpc: restrict user apps from sending kernel RPC messages | expand |
On 08.04.21 22:32, Tim Gardner wrote: > From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> > > CVE-2021-28375 > > Verify that user applications are not using the kernel RPC message > handle to restrict them from directly attaching to guest OS on the > remote subsystem. This is a port of CVE-2019-2308 fix. > > Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") > Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> > Cc: Jonathan Marek <jonathan@marek.ca> > Cc: stable@vger.kernel.org > Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> > Link: https://lore.kernel.org/r/20210212192658.3476137-1-dmitry.baryshkov@linaro.org > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 20c40794eb85ea29852d7bc37c55713802a543d6) > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/misc/fastrpc.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index e3e085e33d46..547d4ae57f26 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -935,6 +935,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel, > if (!fl->cctx->rpdev) > return -EPIPE; > > + if (handle == FASTRPC_INIT_HANDLE && !kernel) { > + dev_warn_ratelimited(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n", handle); > + return -EPERM; > + } > + > ctx = fastrpc_context_alloc(fl, kernel, sc, args); > if (IS_ERR(ctx)) > return PTR_ERR(ctx); >
On 08.04.21 22:32, Tim Gardner wrote: > From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> > > CVE-2021-28375 > > Verify that user applications are not using the kernel RPC message > handle to restrict them from directly attaching to guest OS on the > remote subsystem. This is a port of CVE-2019-2308 fix. > > Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") > Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> > Cc: Jonathan Marek <jonathan@marek.ca> > Cc: stable@vger.kernel.org > Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> > Link: https://lore.kernel.org/r/20210212192658.3476137-1-dmitry.baryshkov@linaro.org > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 20c40794eb85ea29852d7bc37c55713802a543d6) > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks > --- > drivers/misc/fastrpc.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index e3e085e33d46..547d4ae57f26 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -935,6 +935,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel, > if (!fl->cctx->rpdev) > return -EPIPE; > > + if (handle == FASTRPC_INIT_HANDLE && !kernel) { > + dev_warn_ratelimited(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n", handle); > + return -EPERM; > + } > + > ctx = fastrpc_context_alloc(fl, kernel, sc, args); > if (IS_ERR(ctx)) > return PTR_ERR(ctx); >
applied to oem-5.6, thanks
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index e3e085e33d46..547d4ae57f26 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -935,6 +935,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel, if (!fl->cctx->rpdev) return -EPIPE; + if (handle == FASTRPC_INIT_HANDLE && !kernel) { + dev_warn_ratelimited(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n", handle); + return -EPERM; + } + ctx = fastrpc_context_alloc(fl, kernel, sc, args); if (IS_ERR(ctx)) return PTR_ERR(ctx);