Received: by 10.192.165.148 with SMTP id m20csp785786imm; Fri, 4 May 2018 21:18:09 -0700 (PDT) X-Google-Smtp-Source: AB8JxZokzq1siOwd+9y0vkQRrbAPZ+om7eJAq7/IWg2wunXezOVgX3BjnM2eBSuxseQ9kkMzQ0em X-Received: by 2002:a17:902:b40f:: with SMTP id x15-v6mr29394182plr.167.1525493889681; Fri, 04 May 2018 21:18:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525493889; cv=none; d=google.com; s=arc-20160816; b=CITb7rl9porY4wYqz8PgOfg3sAkkqs0KqrMxNhHgYw3sriPgK1g3AqEtuP3e5ttqpM vbacsaQG7aHs/3KDZOYvDIeMTIfoQWJQ5/AHhYT6qPjesXr1CkSOxv/+5xoJT4ueA4m4 5RLcjU66/wPzfZXN7uLuPVAXXhTI5tru58scheWOvyFDDbjyLpsLCHDu0VH+cJ9j6rfX zyEUvPePNm66XwMINfbKwAliNLa5Ha3MjG35EW/2AZBuVdpOW3FsFXWH2hiiPdT4XqUd 3Z9QvsafQJGJw7QrHGOsdivOSZYg0H2M67ilE0EIsX/vHq51/0ZmmKDLKmubImSHMBT+ 7USQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=fK/j1ug6T8+97Z4TR+W/3VKYUAlg9ow+hA9NNgWDfcU=; b=rIJ1XkOFf66WAZlUbuHaULbdvUO8FYPVWMPaveBhhyxT+L4ivjVihxBRya2nENb/QY K1Lq0ytVDSzhCCTpZtVE9S1vVa+EjhH8E41Py14fuXU99HTLLwOJeRAKzRTdcnIt9l/C o7CsBnaiock/GVlMIZsihsY310wXxR1hUyCIjebq+LQkq49E7+ApLj3jQ/7OPQdwhAQI pDI0igxLS60Ch1pNDjt6MenxSS4xFa3IaLbtNXgGBuqw9rTL+/ClHKm8nDynATVdUDl3 15Qy9HoeiJyUiExqJF0fTIOqNs9d1xisvs6Sh8sagYL8lbFESAdI5HmIh5Ly2hH260l3 Ci2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=ftqaBIpr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o7si10202889pfh.103.2018.05.04.21.17.54; Fri, 04 May 2018 21:18:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=ftqaBIpr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751096AbeEEERl (ORCPT + 99 others); Sat, 5 May 2018 00:17:41 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:56356 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750725AbeEEERj (ORCPT ); Sat, 5 May 2018 00:17:39 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 55E28B73 for ; Sat, 5 May 2018 04:17:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sPYBsG34x2Iw for ; Fri, 4 May 2018 23:17:39 -0500 (CDT) Received: from mail-it0-f71.google.com (mail-it0-f71.google.com [209.85.214.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 2D5FB63C for ; Fri, 4 May 2018 23:17:39 -0500 (CDT) Received: by mail-it0-f71.google.com with SMTP id i130-v6so276169iti.0 for ; Fri, 04 May 2018 21:17:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=fK/j1ug6T8+97Z4TR+W/3VKYUAlg9ow+hA9NNgWDfcU=; b=ftqaBIprUIq5zyTRrd4px8+Ui0xXXLHhyfXYkZZWyZMX8jq8K9zCXFOWhklpJKgjH2 HxGWQvAZAC84OrssteAZ0jASa05fgZ4kSU5ffjh+zcgiaxHCjRq+YcHtnSoxADCXH199 m1pF0qtkhi9UTDEPNb+JPCKUNP5JNMWXYZwKQplVUSghGNtGeS/xdUosAZWqIROII9MY 4LHuk36P9zmIPIGnZ4MMXw5fNzwX9S6F3f5T7HyD0s3DA7Hi8woq/5cVfWVEvd5vs6ph O1LkfHggeiwKWN4+27tfuJ1aMO40NwMzs+Y79sMDEd+PgbGeoOIJMW2qmvGK1Z/1300C gFaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=fK/j1ug6T8+97Z4TR+W/3VKYUAlg9ow+hA9NNgWDfcU=; b=jsF4Qak2TgydMH9XW9xfiCstELRA6krGFl3TLoJ7WpnwfrVM2BabHtxfvuZuMAyV+s bSAGlArlzwMSmlj2Kf78SMo/A1KO7cYRgSw4RVDUqV3fknCi+UAy0/l3QPEvGomdlDSF xQDbWJRPr+4lHj3vux9PoIPR7lymG8fWX59qfpqLoM/6utDxk+bSRvL3swJhpTPRq2L4 AH2Yc1V1QOdRGta5IuR8RAayPM5XVwS/xmwEIahZr76yk/WS+6uX8xioFj/ImgyxEwY8 V+6ufy1bNZsNlD/5PcziSAcP+QPuP538yH1hF5Ql6sqU+qZ5oRjVoH3LU6dkxBtc1QYZ NQPQ== X-Gm-Message-State: ALQs6tDaI18i43VfY2IRDrkes8+RjJLcEe/ZZ3fvVpAbxo7HaYQAjCGk uVqM5NhzYapVlGF9Mz1YCZ/pLPoBUngoR6hUlhgiawHnkU4s8OrH4wmnMuILRHiUIaLeZqqET9I lHQ/vSCaZ4SWhK5CSQZgxAk0VXoGG X-Received: by 2002:a6b:8cce:: with SMTP id o197-v6mr31674633iod.114.1525493858807; Fri, 04 May 2018 21:17:38 -0700 (PDT) X-Received: by 2002:a6b:8cce:: with SMTP id o197-v6mr31674624iod.114.1525493858645; Fri, 04 May 2018 21:17:38 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id o1-v6sm1830085ite.37.2018.05.04.21.17.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 May 2018 21:17:37 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , David Herrmann , Jiri Kosina , Benjamin Tissoires , linux-input@vger.kernel.org (open list:UHID USERSPACE HID IO DRIVER:), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] HID: uhid: fix a missing-check bug Date: Fri, 4 May 2018 23:17:29 -0500 Message-Id: <1525493850-6952-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In uhid_event_from_user(), if it is in_compat_syscall(), the 'type' of the event is first fetched from the 'buffer' in userspace and checked. If the 'type' is UHID_CREATE, it is a messed up request with compat pointer, which could be more than 256 bytes, so it is better allocated from the heap, as mentioned in the comment. Its fields are then prepared one by one instead of using a whole copy. For all other cases, the event object is copied directly from user space. In other words, based on the 'type', the memory size and structure of the event object vary. Given that the 'buffer' resides in userspace, a malicious userspace process can race to change the 'type' between the two copies, which will cause inconsistency issues, potentially security issues. Plus, various operations such as uhid_dev_destroy() and uhid_dev_input() are performed based on 'type' in function uhid_char_write(). If 'type' is modified by user, there could be some issues such as uninitialized uses. To fix this problem, we need to recheck the type after the second fetch to make sure it is not UHID_CREATE. Signed-off-by: Wenwen Wang --- drivers/hid/uhid.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c index 3c55073..0220385 100644 --- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -447,11 +447,17 @@ static int uhid_event_from_user(const char __user *buffer, size_t len, event->u.create.country = compat->country; kfree(compat); - return 0; + } else { + if (copy_from_user(event, buffer, + min(len, sizeof(*event)))) + return -EFAULT; + if (event->type == UHID_CREATE) + return -EINVAL; } - /* All others can be copied directly */ + return 0; } + /* Others can be copied directly */ if (copy_from_user(event, buffer, min(len, sizeof(*event)))) return -EFAULT; -- 2.7.4