Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7016404imu; Wed, 14 Nov 2018 10:20:10 -0800 (PST) X-Google-Smtp-Source: AJdET5cTqEJdiVsB4xxf7s5zYwN25vdL0RD0oBPIyoxX2Yf7dwENCb2Utmj6JQHlLkLWAiMI0YLB X-Received: by 2002:a17:902:a40f:: with SMTP id p15mr3045680plq.286.1542219610162; Wed, 14 Nov 2018 10:20:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542219610; cv=none; d=google.com; s=arc-20160816; b=QNF+ByVivMVzTQ31of3OZMaO97SOhC+vZAplO8GEH7/eMiylwl/tM+kYZxFjFi8LZH kUQ9e+DIqGthg3wvc/ABmVsJuqR/Z4A9c3YIeZf+7NPV+iz4sGoMiY9Vk6xixMBDjwI9 JcGNxt78SB+vCTQQch3KKjodmm9jXx1RqbnStovxn2HdZ+l3joesjpN5lbIQruiksqxb UdChdpcwdA86SLmTlC/JVhmnQ80QS0D3KSGvPMQbcgoj9ZvO7wemFvol9uolO7N9TaLO HaV+MiDmYN/7hIjLu+wbEAUSlRdd950ZYi+tOVX1G1lCBiti+CSRVuEnCQP/8mFAPf/G d5Sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=VAhEP5PNMrH23hKOuO24tYIVT3au/oY4s3WYk1e/KL0=; b=dlztbxeO4nrxVvDn0xWOu2PL9WB4SZbxF17Q1YBuxzeFqrRHnoTzdMZ7NopBcWQwPL fewQk2rNRn+QSSJdb8M8fY4VvSEHKLjoHYXS2ZR8dA2MA6i69CRJXFw9pJptdmVweqVH 4ICVcSQXUuTAZyGhHWEW6D7QBTCMDI/TuI8Xtz8Ayr9t3tgL/91G5q714PFHnKspjj9D imxbmnRAQ8Kiey8dN51LjUDTnfUjlVhMikgH1H6O0z3DS2MmEATUB5NQbkLUEuSD8oN7 IpY1F2+51XSHcQ04WtBYAjRuhvJuWbda2zkx39mrdChVJGtAkSmVQCy8Yj+aT7GA27fa J+uQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=p0deHWiZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k25-v6si25973617pfe.36.2018.11.14.10.19.35; Wed, 14 Nov 2018 10:20:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=p0deHWiZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730979AbeKOEXX (ORCPT + 99 others); Wed, 14 Nov 2018 23:23:23 -0500 Received: from mail-ot1-f66.google.com ([209.85.210.66]:33342 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727822AbeKOEXX (ORCPT ); Wed, 14 Nov 2018 23:23:23 -0500 Received: by mail-ot1-f66.google.com with SMTP id i20so9151755otl.0 for ; Wed, 14 Nov 2018 10:19:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VAhEP5PNMrH23hKOuO24tYIVT3au/oY4s3WYk1e/KL0=; b=p0deHWiZ8zp2wgZTk6marRA0FNp3CpR2cza+puGBNr8SlZQJFmKhWx2tlBXQddFWIa i93pCArFx/l+YOFdmXR+K+P/ADB9/r7hVwIBosn2m56UTQPKw1DnSgo2IDO/aZcqnAbG MGGpmLJCScMbmFbrqTVhgN9ftqeAi1SAo3QWOFXuHQyAkp+UhS7q4pE8/ao+I1+T8Gyl 7lIi6cC7CgBP/TUN2C2uZIavPFMofsWbYak0YuDQYOoHuSS6GoOidMSWyWp8+/5b8A8f eR6UZYQgJ+KOL7umdLhDC06riniUCJ/tS02w+I1GyCF0yC2rxdCt/3UXpTbWbm3Pinc7 FAzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VAhEP5PNMrH23hKOuO24tYIVT3au/oY4s3WYk1e/KL0=; b=sYdIR4TIS2TJHA+HcBTEOx7vbfjE7W50OhhCLm6dO8Uwlq7tqBqLnQ6gDBIGzL70pN 7zb/SpY9+HGLJ6V9p0hWq0QxsKK4ihKT5GJNz/BFN7D1nGNlzm55GMsXqpYa+jG1dJ9c D8Bgb+EA9cmxwQEjmQudIpA/sfVusUhmUbOwOas++4TpE4rp3LUj3TYPf/4JNDpkD8z/ SkFQxHl1xIidaOD/Kj5ToWb136HDzweZObRCnhdkgpd1JmIpqcvQ9wSa5z3K793M1tnx 4cJ8I92BDDR7fdYIo8TjeJ/ygSW6C5aPQ/zdtDtGUhPrWGzxJnA1U6WfUn1I2Nz+7WQS YruQ== X-Gm-Message-State: AGRZ1gLwKaMEa0wztQnufWCtDkZSED9hPQCAWq3XH1b11chfMRom/j6F vInY7AIeKGyOoobZg6ObRW0WofZ3jzPohXXh/FR2iA== X-Received: by 2002:a9d:460e:: with SMTP id y14mr1841611ote.198.1542219545541; Wed, 14 Nov 2018 10:19:05 -0800 (PST) MIME-Version: 1.0 References: <20181114171447.GA87768@gmail.com> <20181114180217.195917-1-ebiggers@kernel.org> In-Reply-To: <20181114180217.195917-1-ebiggers@kernel.org> From: Jann Horn Date: Wed, 14 Nov 2018 19:18:39 +0100 Message-ID: Subject: Re: [PATCH] HID: uhid: prevent uhid_char_write() under KERNEL_DS To: ebiggers@kernel.org Cc: dh.herrmann@googlemail.com, Jiri Kosina , benjamin.tissoires@redhat.com, linux-input@vger.kernel.org, kernel list , syzkaller-bugs@googlegroups.com, Dmitry Vyukov , dtor@google.com, syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com, stable@vger.kernel.org, Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +cc Andy On Wed, Nov 14, 2018 at 7:03 PM Eric Biggers wrote: > When a UHID_CREATE command is written to the uhid char device, a > copy_from_user() is done from a user pointer embedded in the command. > When the address limit is KERNEL_DS, e.g. as is the case during > sendfile(), this can read from kernel memory. Therefore, UHID_CREATE > must not be allowed in this case. > > For consistency and to make sure all current and future uhid commands > are covered, apply the restriction to uhid_char_write() as a whole > rather than to UHID_CREATE specifically. > > Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to > Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess > helpers fault on kernel addresses"), allowing this bug to be found. > > Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com Wheeeee, it found something! :) > Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events") > Cc: # v3.6+ > Cc: Jann Horn > Signed-off-by: Eric Biggers > --- > drivers/hid/uhid.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c > index 3c55073136064..e94c5e248b56e 100644 > --- a/drivers/hid/uhid.c > +++ b/drivers/hid/uhid.c > @@ -705,6 +705,12 @@ static ssize_t uhid_char_write(struct file *file, const char __user *buffer, > int ret; > size_t len; > > + if (uaccess_kernel()) { /* payload may contain a __user pointer */ > + pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", > + __func__, task_tgid_vnr(current), current->comm); > + return -EACCES; > + } If this file can conceivably be opened by a process that doesn't have root privileges, this check should be something along the lines of ib_safe_file_access() or sg_check_file_access(). Checking for uaccess_kernel() prevents the symptom that syzkaller notices - a user being able to cause a kernel memory access -, but it doesn't deal with the case where a user opens a file descriptor to this device and tricks a more privileged process into writing into it (e.g. by passing it to a suid binary as stdout or stderr). Looking closer, I wonder whether this kind of behavior is limited to the UHID_CREATE request, which has a comment on it saying "/* Obsolete! Use UHID_CREATE2. */". If we could keep this kind of ugly kludge away from the code paths you're supposed to be using, that would be nice...