Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6946396imu;
        Wed, 14 Nov 2018 09:17:50 -0800 (PST)
X-Google-Smtp-Source: AJdET5cJejLnDMTOHbsDB8kIwGpEDUShwZ5NmxqOY0XzOhDGn2lHfWsqCjhghCfo+PVYmpbuhLgc
X-Received: by 2002:a63:960a:: with SMTP id c10mr2540037pge.106.1542215870470;
        Wed, 14 Nov 2018 09:17:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542215870; cv=none;
        d=google.com; s=arc-20160816;
        b=edgGbOSURulUsyP5hy1OH3O4ji/bLcjqUMYM6sPFf/M7m1PFfDImBflThiEaYQmBt3
         3HZFOzDi7j71bip4gZng1iU+h67Xukh4U2a3xDJrsXsg1cZeN50IX3W5qvDFeVM0Ki+u
         CppEHOwc15li92+mxRAGzOHoDJhDcgqJ+cdVRh88nsXHq/yjrcTGu51eFWfR/XzNOnhU
         yvQVAcRfhSOg2TNnlN1urrIPgGrfluBAEhKRUbU1THX+HwhYd+DsxFE2BinidfwvFchh
         qri2EioG2C8qJZ+xBQtZp6QcVTHLNXsVnevtHv/99+TBjV4DXPiwDMNtEzGGk1uFp/HK
         Z4vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=RE/n46j2cRabJ6m3+gdBB4qRkzc/8qS6iErRSivhssA=;
        b=IWPKNOVHGX1vck9I/Giwp7ltCDOd8KGP7JMA5tJrcy2xM8h+kw7ibYBBy0RyelS4nT
         fINZMfJ4ugcUaGorkjZEDKSQH7KLMvXF7kw3Qto+82RCgVrjf+jhAUTonXh65rDAVSXc
         xpQbkuPR1PJytKMxiiDBfh+9b9UBzuhHx7EBZlyRR9oe+MOR/Tr6IiegCWP+ApiB3bo2
         kOfyLXM8rMPK6lwSAf+F+AXPioJSHZ2vqJKUD/7aq+HSJxm/mwTLjyJvP5fmOe3nAbgJ
         ZgfJD73sIUZ83IRno/1G0RkcB6zgYLe8fbg9WGZpCIDCm240ELs8OsFJwbnaIK7gMKeA
         2U0g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=PS12fN+5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b9si22613317pgt.293.2018.11.14.09.17.24;
        Wed, 14 Nov 2018 09:17:50 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=PS12fN+5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732950AbeKODSy (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Wed, 14 Nov 2018 22:18:54 -0500
Received: from mail.kernel.org ([198.145.29.99]:49574 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727822AbeKODSx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Nov 2018 22:18:53 -0500
Received: from gmail.com (unknown [104.132.1.85])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 2440A2089F;
        Wed, 14 Nov 2018 17:14:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1542215690;
        bh=/yPh/grm9aq0wv21IEHD6xhh+Ne+CtYPfOJ+kiUpllI=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=PS12fN+5oMFm1inKPAQNPZFeqRusdXNL11YVLctmxvJ6dPMpgzyAC2AB3d1pep1vf
         Vo/RUR0GWpAzMOpi4sow2dOFsGm1EbrGeyqxxCF7Ph0uVk3Gbn4+poZPFhy2zC4PW5
         ky7ezU4yD3mh/03yP/1bpGNJ5xPJcZwpjQz1uDTs=
Date:   Wed, 14 Nov 2018 09:14:48 -0800
From:   Eric Biggers <ebiggers@kernel.org>
To:     David Herrmann <dh.herrmann@gmail.com>
Cc:     Dmitry Vyukov <dvyukov@google.com>,
        Dmitry Torokhov <dtor@google.com>,
        syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        Jiri Kosina <jikos@kernel.org>,
        "open list:HID CORE LAYER" <linux-input@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com
Subject: Re: BUG: GPF in non-whitelisted uaccess (non-canonical address?)
Message-ID: <20181114171447.GA87768@gmail.com>
References: <00000000000080f8fa057a67b75c@google.com>
 <0000000000002d2a5b057a94f7ff@google.com>
 <CANq1E4T6+bacZ9iGREtWiyM8eUkAQoxhgFM6rPrzNRkzAcnfJg@mail.gmail.com>
 <CACT4Y+b8801QqLe4axBct-cZ2a-jr2S2=MSRhg7rV20bPvUHxQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+b8801QqLe4axBct-cZ2a-jr2S2=MSRhg7rV20bPvUHxQ@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 14, 2018 at 08:52:46AM -0800, 'Dmitry Vyukov' via syzkaller-bugs wrote:
> On Wed, Nov 14, 2018 at 4:20 AM, David Herrmann <dh.herrmann@gmail.com> wrote:
> > Hey
> >
> > On Wed, Nov 14, 2018 at 1:25 AM syzbot
> > <syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com> wrote:
> >> syzbot has found a reproducer for the following crash on:
> >>
> >> HEAD commit:    ccda4af0f4b9 Linux 4.20-rc2
> >> git tree:       upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=13b4e77b400000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=72473edc9bf4eb1c6556
> >> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1646a225400000
> >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=108a6533400000
> >>
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
> >>
> > [...]
> >> BUG: GPF in non-whitelisted uaccess (non-canonical address?)
> >
> > This uses sendpage(2) to feed data from a file into a uhid chardev.
> > The default behavior of the kernel is to create a temporary pipe, then
> > splice from the file into the pipe, and then splice again from the
> > pipe into uhid.
> >
> > The kernel provides default implementations for splicing between files
> > and any other file. The default implementation of `.splice_write()`
> > uses kmap() to map the page from the pipe and then uses the
> > __kernel_write() (which uses .f_op->write()) to push the data into the
> > target file. The problem is, __kernel_write() sets the address-space
> > to KERNEL_DS `set_fs(get_ds())`, thus granting the UHID request access
> > to kernel memory.
> >
> > I see several ways to fix that, the most simple solution is to simply
> > prevent splice/sendpage on uhid (by setting f_op.splice_write to a
> > dummy). Alternatively, we can implement a proper splice helper that
> > takes the page directly, rather than through the __kernel_write()
> > default implementation.
> 
> also +dtor for uhid
> 

Well, the problem is that uhid_char_write() reads from a user pointer embedded
in the write() payload.  (Which really is abusing write(), but I assume it
cannot be changed at this point...)  Thus it's unsafe to be called under
KERNEL_DS.  So it needs:

	if (uaccess_kernel())
		return -EACCES;

See sg_check_file_access(), called from sg_read() and sg_write(), for another
example of this in the kernel.

- Eric