From: Greg Kroah-Hartman <gre...@linuxfoundation.org>
From: Dmitry Baryshkov <dmitry.barysh...@linaro.org>
commit 20c40794eb85ea29852d7bc37c55713802a543d6 upstream.
Verify that user applications are not using the kernel RPC message
handle to restrict them from directly attaching to guest OS on the
remote subsystem. This is a port of CVE-2019-2308 fix.
Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: Srinivas Kandagatla <srinivas.kandaga...@linaro.org>
Cc: Jonathan Marek <jonat...@marek.ca>
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Baryshkov <dmitry.barysh...@linaro.org>
Link:
https://lore.kernel.org/r/20210212192658.3476137-1-dmitry.barysh...@linaro.org
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -950,6 +950,11 @@ static int fastrpc_internal_invoke(struc
if (!fl->cctx->rpdev)
return -EPIPE;
+ if (handle == FASTRPC_INIT_HANDLE && !kernel) {
+ dev_warn_ratelimited(fl->sctx->dev, "user app trying to send a
kernel RPC message (%d)\n", handle);
+ return -EPERM;
+ }
+
ctx = fastrpc_context_alloc(fl, kernel, sc, args);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
