Received: by 10.192.165.148 with SMTP id m20csp2730888imm; Sun, 6 May 2018 23:27:57 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpoWYtK0oyWOGb8lhLA4MASi4F66WZbOYoK/bNZq9cBXGAaHRbT8sRoy1I8GzTwU57XzZ4V X-Received: by 2002:a17:902:a5:: with SMTP id a34-v6mr36977445pla.58.1525674477801; Sun, 06 May 2018 23:27:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525674477; cv=none; d=google.com; s=arc-20160816; b=Z5eHTNZgAlQ+TEZGZ7h6FvUnqm6RPnlxZZ2gMU+n/QDVegcoUA89BBBrkMjYB3nI1j /eRVT7Vsk8sngzH7cikFaHXOtT1XBaW3UOjycSu9oELzABdr3nhYyHWHl0LpaZQf967T 8dPdYkgP07LidcK82cGXr751QvtKq7LPiTS3mIpyUBsMDkvvAw9AP/hmTwpESV3DkimQ 9DU5rZa31ZWG3bsCc9dGB1quqYv4LOFw35UFuHPNewTk3wP4Di6HfBs2nGgck883ypOq pUtdhATe+6eVQOU2dOyhevwU9sdaYdhiBTG1fW+iKBciBUzQ3t2HLayjSQt45GHJJOfZ iRNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=p3EFOi8flM/9pHychdVnL0tDu8149+p0oMusgAh4dM4=; b=ykfoJiuXlSy0l/fF7SI/eWrck4fg3REVhsKsVHQn4tEAUh95aJI+0Xcbf/MAFV6CJK e0c+xgRUd51+/lQGypxXWB+Dy57OfiKdQNdo/ZlUXpPK4P4fHBOgISnt1cXL3bwjaXuR o1d8qiaRuxLt+fubXJHQhq1vVVCvraFe0lXAHcwEF4IOoUhfllGSpoe6k9m1IyzMV8Wp sOQgnoJ1REp5nSpfmweh1ZrMuUcXn6ZPx1K6Bxdelh0Wbki0dVyuNqAZZj5eIZ6rSjbp ky/Np36ERWaydP9ODNdXv4zoQuEYupwpzkCSo2OE7OsncTxdRKW0Uu40i1ll+06L/euy 6lzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=CsYaHFbo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n3-v6si14513687pgp.344.2018.05.06.23.27.42; Sun, 06 May 2018 23:27:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=CsYaHFbo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751855AbeEGG1b (ORCPT + 99 others); Mon, 7 May 2018 02:27:31 -0400 Received: from mail-it0-f67.google.com ([209.85.214.67]:55804 "EHLO mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750732AbeEGG13 (ORCPT ); Mon, 7 May 2018 02:27:29 -0400 Received: by mail-it0-f67.google.com with SMTP id 144-v6so10045019iti.5; Sun, 06 May 2018 23:27:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=p3EFOi8flM/9pHychdVnL0tDu8149+p0oMusgAh4dM4=; b=CsYaHFboCkrGBan+kEwQIIQxGlrFEKK+Ylt/wdWZjlOxCDXWYz6pkvpcTwu7rpJoYe ONIfBjgritVXG8c9Zaol/u7d0/Qna/KfEsFst3th0xxNgzbDc+VGFfHqECK7DsOq5EIs Md09q4PpvB+ShMOGMJStqVOlTTSKwuiF7ObbcBD56g51WVViI6K87QynQYHRfFPjNuZJ CicRcukcU/6KFom3q0iYnnSO1Ryv+oS6lCJx7MqR3T9eV7ulAaE0SeZ0FeDGWbZuG6LA uhBea7yWqE0LDsqYTfc+Pd4NRfdtgLea2YgR8Vk5d0yxerFVyhAc5/1OY6f+XSkahl7C jlTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=p3EFOi8flM/9pHychdVnL0tDu8149+p0oMusgAh4dM4=; b=KTEykPiGfu4CH4Nha+bz4ajsLgQdd9l6kHRPrxZ+2MO8O6I/5r/VYAiFoKFXKr9N8C Wnh84jxS1+z1ICJAQ0XiMW4OosVtPdorQ4UPhKIhqn1Lw9VRFNNXiIcmFOO+nihr/2NF wi/y4B9A/SFGxHv2eM/z2JPPMvqnqd4rCDjuV0NkehkzpT6cTN9PMpAr4WIQpjxcV2I/ w5/GBRDORVjZaKXESjfk6nbi6VoVNBj0fgAip72r5tOYIsVh3OI7UvIJ0N/AZqG0qxYC JTgPmcHbvLZtvURoRZGhHuo46WwMoH+wAxs02b8QEwKcZNqFRswQtoGrgvB71B2ianvJ lCIg== X-Gm-Message-State: ALQs6tBobnN48jsALeP+gfmyuB1RbZRPnjfqXIscHaX1puQGm3RUAf8u u7EENt4BQ9J3cdA0Su02Ks9oUxpZSLuVewB9g7o= X-Received: by 2002:a24:478b:: with SMTP id t133-v6mr39149974itb.145.1525674448589; Sun, 06 May 2018 23:27:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.157.13 with HTTP; Sun, 6 May 2018 23:27:27 -0700 (PDT) In-Reply-To: <1525493850-6952-1-git-send-email-wang6495@umn.edu> References: <1525493850-6952-1-git-send-email-wang6495@umn.edu> From: David Herrmann Date: Mon, 7 May 2018 08:27:27 +0200 Message-ID: Subject: Re: [PATCH] HID: uhid: fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , David Herrmann , Jiri Kosina , Benjamin Tissoires , "open list:UHID USERSPACE HID IO DRIVER:" , open list , Dmitry Torokhov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hey On Sat, May 5, 2018 at 6:17 AM, Wenwen Wang wrote: > In uhid_event_from_user(), if it is in_compat_syscall(), the 'type' of the > event is first fetched from the 'buffer' in userspace and checked. If the > 'type' is UHID_CREATE, it is a messed up request with compat pointer, which > could be more than 256 bytes, so it is better allocated from the heap, as > mentioned in the comment. Its fields are then prepared one by one instead > of using a whole copy. For all other cases, the event object is copied > directly from user space. In other words, based on the 'type', the memory > size and structure of the event object vary. > > Given that the 'buffer' resides in userspace, a malicious userspace process > can race to change the 'type' between the two copies, which will cause > inconsistency issues, potentially security issues. Plus, various operations > such as uhid_dev_destroy() and uhid_dev_input() are performed based on > 'type' in function uhid_char_write(). If 'type' is modified by user, there > could be some issues such as uninitialized uses. > > To fix this problem, we need to recheck the type after the second fetch to > make sure it is not UHID_CREATE. > > Signed-off-by: Wenwen Wang > --- > drivers/hid/uhid.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c > index 3c55073..0220385 100644 > --- a/drivers/hid/uhid.c > +++ b/drivers/hid/uhid.c > @@ -447,11 +447,17 @@ static int uhid_event_from_user(const char __user *buffer, size_t len, > event->u.create.country = compat->country; > > kfree(compat); > - return 0; > + } else { > + if (copy_from_user(event, buffer, > + min(len, sizeof(*event)))) > + return -EFAULT; > + if (event->type == UHID_CREATE) > + return -EINVAL; You are correct, the race against malicious/buggy user-space exists. However, it is harmless. Lets assume user-space rewrites the input, all that happens is that we end up with garbage in the kernel. However, input-validation is done *after* this function, hence everything will work just fine. If user-space rewrites input-buffers, they better be aware that this might mean random garbage is pushed into the kernel. IOW, this race simply allows user-space to circumvent the "compat conversion". But if user-space wants that... let them. No point in protecting them from doing something stupid. Thanks David > } > - /* All others can be copied directly */ > + return 0; > } > > + /* Others can be copied directly */ > if (copy_from_user(event, buffer, min(len, sizeof(*event)))) > return -EFAULT; > > -- > 2.7.4 >