On 2/11/21 3:37 PM, Dmitry Baryshkov wrote:
Verify that user applications are not using the kernel RPC message handle to restrict them from directly attaching to guest OS on the remote subsystem. This is a port of CVE-2019-2308 fix.
Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: Srinivas Kandagatla srinivas.kandagatla@linaro.org Cc: Jonathan Marek jonathan@marek.ca Cc: stable@vger.kernel.org Signed-off-by: Dmitry Baryshkov dmitry.baryshkov@linaro.org
drivers/misc/fastrpc.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 815d01f785df..e7f3a22fdaa3 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -948,6 +948,11 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel, if (!fl->cctx->rpdev) return -EPIPE;
- if (handle == FASTRPC_INIT_HANDLE && !kernel) {
dev_warn(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n", handle);
rate limit so that userspace cannot flood kernel log?
return -EPERM;- }
- ctx = fastrpc_context_alloc(fl, kernel, sc, args); if (IS_ERR(ctx)) return PTR_ERR(ctx);