We should be more vigilant in validating the fd type passed down for use
in irqfd. A malicious userspace could do something nasty like pass the
kvm fd which would cause problems such as a reference leak on the kvm
object on shutdown.
Therefore, we use the eventfd_fget() routine in place of the plain fget()
to at least make sure its of the proper type.
Reported-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
Signed-off-by: Gregory Haskins <ghaskins@xxxxxxxxxx>
---
virt/kvm/eventfd.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
index c63ff6a..f3f2ea1 100644
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -27,6 +27,7 @@
#include <linux/poll.h>
#include <linux/file.h>
#include <linux/list.h>
+#include <linux/eventfd.h>
/*
* --------------------------------------------------------------------
@@ -102,7 +103,7 @@ kvm_assign_irqfd(struct kvm *kvm, int fd, int gsi)
/*
* Embed the file* lifetime in the irqfd.
*/
- file = fget(fd);
+ file = eventfd_fget(fd);
if (IS_ERR(file)) {
ret = PTR_ERR(file);
goto fail;
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
