lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a11cdbfa-142e-57ae-cd5b-5e8aebd5f4cf@infradead.org>
Date:   Thu, 11 Feb 2021 15:40:02 -0800
From:   Randy Dunlap <rdunlap@...radead.org>
To:     Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
        Arnd Bergmann <arnd@...db.de>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     linux-kernel@...r.kernel.org,
        Srinivas Kandagatla <srinivas.kandagatla@...aro.org>,
        Jonathan Marek <jonathan@...ek.ca>, stable@...r.kernel.org
Subject: Re: [PATCH] misc: fastrpc: restrict user apps from sending kernel RPC
 messages

On 2/11/21 3:37 PM, Dmitry Baryshkov wrote:
> Verify that user applications are not using the kernel RPC message
> handle to restrict them from directly attaching to guest OS on the
> remote subsystem. This is a port of CVE-2019-2308 fix.
> 
> Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
> Cc: Srinivas Kandagatla <srinivas.kandagatla@...aro.org>
> Cc: Jonathan Marek <jonathan@...ek.ca>
> Cc: stable@...r.kernel.org
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@...aro.org>
> ---
>  drivers/misc/fastrpc.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> index 815d01f785df..e7f3a22fdaa3 100644
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c
> @@ -948,6 +948,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl,  u32 kernel,
>  	if (!fl->cctx->rpdev)
>  		return -EPIPE;
>  
> +	if (handle == FASTRPC_INIT_HANDLE && !kernel) {
> +		dev_warn(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n",  handle);

rate limit so that userspace cannot flood kernel log?

> +		return -EPERM;
> +	}
> +
>  	ctx = fastrpc_context_alloc(fl, kernel, sc, args);
>  	if (IS_ERR(ctx))
>  		return PTR_ERR(ctx);
> 


-- 
~Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ