From patchwork Wed May 27 14:37:06 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory Haskins X-Patchwork-Id: 26494 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n4RFHIX9013034 for ; Wed, 27 May 2009 15:17:18 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757685AbZE0PRM (ORCPT ); Wed, 27 May 2009 11:17:12 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756832AbZE0PRM (ORCPT ); Wed, 27 May 2009 11:17:12 -0400 Received: from victor.provo.novell.com ([137.65.250.26]:45632 "EHLO victor.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755609AbZE0PRL (ORCPT ); Wed, 27 May 2009 11:17:11 -0400 Received: from dev.haskins.net (prv-ext-foundry1.gns.novell.com [137.65.251.240]) by victor.provo.novell.com with ESMTP (TLS encrypted); Wed, 27 May 2009 09:16:02 -0600 Received: from dev.haskins.net (localhost [127.0.0.1]) by dev.haskins.net (Postfix) with ESMTP id 4BB584642DE; Wed, 27 May 2009 10:37:06 -0400 (EDT) From: Gregory Haskins Subject: [PATCH 2/2] kvm: validate irqfd type To: mst@redhat.com Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, avi@redhat.com, davidel@xmailserver.org, mtosatti@redhat.com Date: Wed, 27 May 2009 10:37:06 -0400 Message-ID: <20090527143706.14024.14341.stgit@dev.haskins.net> In-Reply-To: <20090527143251.14024.89090.stgit@dev.haskins.net> References: <20090527143251.14024.89090.stgit@dev.haskins.net> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org We should be more vigilant in validating the fd type passed down for use in irqfd. A malicious userspace could do something nasty like pass the kvm fd which would cause problems such as a reference leak on the kvm object on shutdown. Therefore, we use the eventfd_fget() routine in place of the plain fget() to at least make sure its of the proper type. Reported-by: Michael S. Tsirkin Signed-off-by: Gregory Haskins --- virt/kvm/eventfd.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c index c63ff6a..f3f2ea1 100644 --- a/virt/kvm/eventfd.c +++ b/virt/kvm/eventfd.c @@ -27,6 +27,7 @@ #include #include #include +#include /* * -------------------------------------------------------------------- @@ -102,7 +103,7 @@ kvm_assign_irqfd(struct kvm *kvm, int fd, int gsi) /* * Embed the file* lifetime in the irqfd. */ - file = fget(fd); + file = eventfd_fget(fd); if (IS_ERR(file)) { ret = PTR_ERR(file); goto fail;