Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7273693imu; Wed, 14 Nov 2018 14:39:13 -0800 (PST) X-Google-Smtp-Source: AJdET5ed4N8Lxu2t8/MuzDVkJHGQ5++dR0vExbtAS7BXzmgXj5Hgqn35NRetsqsor5h99fu4hmP9 X-Received: by 2002:a63:790e:: with SMTP id u14mr3463984pgc.452.1542235153734; Wed, 14 Nov 2018 14:39:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542235153; cv=none; d=google.com; s=arc-20160816; b=V4yxtzXDT/Rc6soT9xJkZX8tuUXhXypkO3FHKsCM4j6Uss/QnqPt7RMSjdfRIslpqv pM1QfSHteu5KJk0L/KYjo4aoVmGCaY9jTjj1akgXMLX56HGdTHsk/yeiYWpbsBxBBcCH Xo4c0wb99ZCASb0zwMgoJMemMj193CffnImn1TXkCwp7C+U/WgBg0TYDeGuxCYJtkZ4H 5VwSUjBHcsF74vXWSvrT1PCMEtdxdsIT4WeLJrIkk8fqOKo/pO/rZz1jlVIBG3spl3mm 1c12bf+kW+FPJ/yEA07Qhd1IkNeDWr7Q2QcZ9VwgdIOkllLCSdAaKm2CfBSFbYrFlJW3 dbyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/oKCzlwybmcq+EoB5uAa4f5qcwFA4cXC6SLPhjLEtzc=; b=c6dI0dLn1YqUDwh32Wf+fLQW+JJ92zOAS52VhSlXOGHVlPqtMO1jnRqoX9y3Bkm7Hq V0oXv18TTqXNk/crWCEFdL8s4PxWpHGkUbtBjk/jdr9MWsilfAZDumCeXZitTpcx9TdS ZLCV039Be1t9kcYjeddjExHa9NdpP3e414hTeKByj7R9iMUHAHu4pC6T+kdf4PrHBhkJ 21NmpbvWz7IZvxftu7jxFReWvsB2y64Aqs+hydxQWM6ycILVRxop1qDAvX4P9TMCXN4A jVH0EL20kNcGgwpPaxt4jkRmE3y+j/jSxSeV8+HChzRSOjmiQ6sfuVB5cSa/YO/XE/SZ A2jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RsSnEbK2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a21-v6si15742976pls.13.2018.11.14.14.38.59; Wed, 14 Nov 2018 14:39:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RsSnEbK2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388440AbeKOInY (ORCPT + 99 others); Thu, 15 Nov 2018 03:43:24 -0500 Received: from mail-oi1-f193.google.com ([209.85.167.193]:41531 "EHLO mail-oi1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388195AbeKOInW (ORCPT ); Thu, 15 Nov 2018 03:43:22 -0500 Received: by mail-oi1-f193.google.com with SMTP id g188-v6so15094158oif.8 for ; Wed, 14 Nov 2018 14:38:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/oKCzlwybmcq+EoB5uAa4f5qcwFA4cXC6SLPhjLEtzc=; b=RsSnEbK20fmaGxMPNFsYuFlWKBa3cvMHJ/g1P3u/j2DShfVQdJH/NCM+TMEOUYhy5K Yj4Id8WL5yKFokHu9TiVxB1i0i7hz+dIxqkNeRkx2mmxsIdq0wT+54hMmZe8GaQ9pAw5 bAeON3bFaLkBzhiWfy7+uML0VVfWooSsNYDNaP0SkaNZs7hnmp1qViEtgKC6vytN8Ri9 T14rADhHsayY1RIPODdrbYp38LTx7WKYennVPzznjl6Bn17UBy5WsUDelpIBRhiKf8VR huorSfAZjDFj80Ixrb0grpUXJ45rxcWAG2a+I0tE9Vr3EqjZNXX8CDtHdLHw4p57BsxI JKLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/oKCzlwybmcq+EoB5uAa4f5qcwFA4cXC6SLPhjLEtzc=; b=lEkp42fLxBBM1a3mtJLSisrrQ9LM16Nk/hRgK//fApJ7k5FMhs+JaSObdfdx37Rzb3 Z5brweMgogOzxK2dX7Slx6VQ1o89gV+dgjJC8IncfaGVS74Zl0g2cXl/sQO0xiFJDdqC B4WDsXHip6P3tAVpT+G+gwuVKxOTaX6s4tWTllvlD26fUVYN7TjFSIN6QRTOrdvA07iB fUaPjzedi3vuQiSFlh1Y+lPRhlexqce7kK7npjXF8M+KDTSO2pWal9vGjIW5Zbl9hhIb VqA04spNlgDhu0iqO38GIhMtm8p+FOYsy+qobrgriB4BBCPoULFpdlGWqrW2fe/XuGYr pUdw== X-Gm-Message-State: AGRZ1gKOVZmnd9SbgNhDbB4jG2lwDaSEc2i6cSXuwlnE5YHrEYEVkPHc IGg5KlS3PgHhNouqgkAV2UiVsfBi2EI0owqhNoK4LQ== X-Received: by 2002:aca:c413:: with SMTP id u19mr1933244oif.209.1542235093809; Wed, 14 Nov 2018 14:38:13 -0800 (PST) MIME-Version: 1.0 References: <20181114215509.163600-1-ebiggers@kernel.org> In-Reply-To: From: Jann Horn Date: Wed, 14 Nov 2018 23:37:47 +0100 Message-ID: Subject: Re: [PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges To: dtor@google.com Cc: ebiggers@kernel.org, dh.herrmann@googlemail.com, Jiri Kosina , benjamin.tissoires@redhat.com, linux-input@vger.kernel.org, kernel list , syzkaller-bugs@googlegroups.com, Dmitry Vyukov , syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com, stable@vger.kernel.org, Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 14, 2018 at 11:29 PM Dmitry Torokhov wrote: > On Wed, Nov 14, 2018 at 2:05 PM Jann Horn wrote: > > On Wed, Nov 14, 2018 at 10:55 PM Eric Biggers wrote: > > > When a UHID_CREATE command is written to the uhid char device, a > > > copy_from_user() is done from a user pointer embedded in the command. > > > When the address limit is KERNEL_DS, e.g. as is the case during > > > sys_sendfile(), this can read from kernel memory. Alternatively, > > > information can be leaked from a setuid binary that is tricked to write > > > to the file descriptor. Therefore, forbid UHID_CREATE in these cases. > > > > > > No other commands in uhid_char_write() are affected by this bug and > > > UHID_CREATE is marked as "obsolete", so apply the restriction to > > > UHID_CREATE only rather than to uhid_char_write() entirely. [...] > > > diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c [...] > > > @@ -722,6 +723,17 @@ static ssize_t uhid_char_write(struct file *file, const char __user *buffer, > > > > > > switch (uhid->input_buf.type) { > > > case UHID_CREATE: > > > + /* > > > + * 'struct uhid_create_req' contains a __user pointer which is > > > + * copied from, so it's unsafe to allow this with elevated > > > + * privileges (e.g. from a setuid binary) or via kernel_write(). > > > + */ > > uhid is a privileged interface so we would go from root to less > privileged (if at all). If non-privileged process can open uhid it can > construct virtual keyboard and inject whatever keystrokes it wants. > > Also, instead of disallowing access, can we ensure that we switch back > to USER_DS before trying to load data from the user pointer? Does that even make sense? You are using some deprecated legacy interface; you interact with it by splicing a request from something like a file or a pipe into the uhid device; but the request you're splicing through contains a pointer into userspace memory? Do you know of anyone who is actually doing that? If not, anyone who does want to do this for some reason in the future can just go use UHID_CREATE2 instead. > > > + if (file->f_cred != current_cred() || uaccess_kernel()) { > > > + pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n", > > > + task_tgid_vnr(current), current->comm); > > > + ret = -EACCES; > > > + goto unlock; > > > + } > > > ret = uhid_dev_create(uhid, &uhid->input_buf); > > > break; > > > case UHID_CREATE2: