Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7281469imu; Wed, 14 Nov 2018 14:48:49 -0800 (PST) X-Google-Smtp-Source: AJdET5f4DMQXDIO7Tu+WJ09PXr52NRvPxo4laOq1T9ea2caOtQ9dWNQe+RhtckhwBo+l3RvI8R8x X-Received: by 2002:a62:d10c:: with SMTP id z12mr3976490pfg.52.1542235729199; Wed, 14 Nov 2018 14:48:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542235729; cv=none; d=google.com; s=arc-20160816; b=lz5fWUXs77cLpoGnCHj9NQR8AnqdOXEEuOU8xDmaSJVsV0AkuAp3kALy+Vl9fFy863 AKJ+Wmlc4dlPnVbi3eRUQoTk+TYzYeZ+yRA1OHCNfq9bH/yPDgBOxqa1lBWmHt8vFRlE UMXFeSd2dXz2iwsgRyQdFqL/hZhu+CfVx9AieB/Y4tKYECXNj8hgDO9KPokhie6ryk6b BzOqArkP7arHvbP2Jc+MoNsyzSOmMqnzGDudUV41EzpmStFf9GZ5ueA83oDdqtsH9PkP 0450OL5ZDHwd+8sPTgECxJNU9qviqQuIDfnDS9bFEe0DjWzZNPs4Y4OIx8+TTx9OlNyo ZsYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Zp48KnARUujJPgt98cu1edg5zA2vF5X1wfL/aDUBBfM=; b=dOTh2sosfYr81w0GG6nlgoKJOb7HCZ1gRuoNTFgod6NqOfHyh6HG6siIJuMxn4blQ9 8BEjeuh1eGiWh8XNxD4rOnA+D9g+X63BOBxQlI6sIDW3jBUN5cq2e8ulnDyGz2SoAnXq YvuJ/EIdXY3LlZ3TVkg3gPMMxxjhGfna3s0IkUCzESVig67PpvkIsyPkWgmdyVd6hnST zHq2z7NAdTTF4qGZrdxs8ak9uIinaNhsT9WaT8566D6S84gqE10GDxrdIRO96ZHKjrp5 CcYEvTttkl7ToGv4JLeso+Yv0tFSsOZIDG86v2VrtCG8ZdAdrzsugdZv7nIc0BSU1cBJ l+Yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=PucQOP9S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si25653495plx.83.2018.11.14.14.48.34; Wed, 14 Nov 2018 14:48:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=PucQOP9S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731813AbeKOIv7 (ORCPT + 99 others); Thu, 15 Nov 2018 03:51:59 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:43740 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728342AbeKOIv7 (ORCPT ); Thu, 15 Nov 2018 03:51:59 -0500 Received: by mail-lf1-f66.google.com with SMTP id u18so12743091lff.10 for ; Wed, 14 Nov 2018 14:46:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zp48KnARUujJPgt98cu1edg5zA2vF5X1wfL/aDUBBfM=; b=PucQOP9SfVPzJkK5UPVVenlN3yfrY1yyxc0QQdMc21gRRg9QWHGfa+DcMlrqvQ61JE XJ4a88dVRGbrWUUGXiypJG4AIhiHKjpyO9mX+meEoqPO4T/3qxipoMh9vx8pYtFCisxz /kW8hA/XpX3G3TZjVj/C0592l0IIaLK5i3JlwJ8QUqM0fpBfCxhR2kpr/M/SezNmQ/Ps FQzAw5PjRNE+PxtbA3S3wNYXTUsMyBo2G/lUsdpQnbdHvyKDU5ex8W0gVQC/pWrVbXov fb905K+gcsXRuSLjfyHphbBxwCoT+H05jv95WVwnydxGI/YFrAwBob2+T7/+cKYj/fEY 7twQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zp48KnARUujJPgt98cu1edg5zA2vF5X1wfL/aDUBBfM=; b=coV8uzrDCzTHksx8YzHq1XUabalJcxo1+qJaERgoVLDf08fU2VHFefhbzo7u3dDYu+ UL1s0GojKc2xlnDAOfDqQm/G8EAfUVLLfkLcHqB+QoYgLJuilf2X2IDUer6b63dmhs+g OSPrGHeMQ1Hm2CN23esGNP4cL+4KaG6fn5tfLSrM2tbEwejoBAADir5NQhj5M2prxxX/ a6U0Ys6l8GQLm0gSPYmmTTeK1Tjk9+LkNL5bGinyT34fJ7LMrxQSEIfRxSp0tj0qrbBg 6pcVb/f2HWsPXqH5dEjWuqpcAkypPsAQrOZZ2rbyp0l/yKctrBPd3bSo0rFOZ6JYTRyN 7mQQ== X-Gm-Message-State: AGRZ1gJROBhgCw+5iTDvOBKIEihWmMZBklJFSPivYJEDmXXLShuxnjhR W0iE+tkQX0/necRTQhDOuDbvxi5gLH9L4UwhiPZAkw== X-Received: by 2002:a19:9904:: with SMTP id b4mr2000480lfe.95.1542235605801; Wed, 14 Nov 2018 14:46:45 -0800 (PST) MIME-Version: 1.0 References: <20181114215509.163600-1-ebiggers@kernel.org> In-Reply-To: From: Dmitry Torokhov Date: Wed, 14 Nov 2018 14:46:34 -0800 Message-ID: Subject: Re: [PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges To: jannh@google.com Cc: ebiggers@kernel.org, dh.herrmann@googlemail.com, Jiri Kosina , Benjamin Tissoires , "open list:HID CORE LAYER" , lkml , syzkaller-bugs@googlegroups.com, Dmitry Vyukov , syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com, stable@vger.kernel.org, luto@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 14, 2018 at 2:38 PM Jann Horn wrote: > > On Wed, Nov 14, 2018 at 11:29 PM Dmitry Torokhov wrote: > > On Wed, Nov 14, 2018 at 2:05 PM Jann Horn wrote: > > > On Wed, Nov 14, 2018 at 10:55 PM Eric Biggers wrote: > > > > When a UHID_CREATE command is written to the uhid char device, a > > > > copy_from_user() is done from a user pointer embedded in the command. > > > > When the address limit is KERNEL_DS, e.g. as is the case during > > > > sys_sendfile(), this can read from kernel memory. Alternatively, > > > > information can be leaked from a setuid binary that is tricked to write > > > > to the file descriptor. Therefore, forbid UHID_CREATE in these cases. > > > > > > > > No other commands in uhid_char_write() are affected by this bug and > > > > UHID_CREATE is marked as "obsolete", so apply the restriction to > > > > UHID_CREATE only rather than to uhid_char_write() entirely. > [...] > > > > diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c > [...] > > > > @@ -722,6 +723,17 @@ static ssize_t uhid_char_write(struct file *file, const char __user *buffer, > > > > > > > > switch (uhid->input_buf.type) { > > > > case UHID_CREATE: > > > > + /* > > > > + * 'struct uhid_create_req' contains a __user pointer which is > > > > + * copied from, so it's unsafe to allow this with elevated > > > > + * privileges (e.g. from a setuid binary) or via kernel_write(). > > > > + */ > > > > uhid is a privileged interface so we would go from root to less > > privileged (if at all). If non-privileged process can open uhid it can > > construct virtual keyboard and inject whatever keystrokes it wants. > > > > Also, instead of disallowing access, can we ensure that we switch back > > to USER_DS before trying to load data from the user pointer? > > Does that even make sense? You are using some deprecated legacy > interface; you interact with it by splicing a request from something > like a file or a pipe into the uhid device; but the request you're > splicing through contains a pointer into userspace memory? Do you know > of anyone who is actually doing that? If not, anyone who does want to > do this for some reason in the future can just go use UHID_CREATE2 > instead. I do not know if anyone is still using UHID_CREATE with sendpage and neither do you really. It is all about not breaking userspace without good reason and here ensuring that we switch to USER_DS and then back to whatever it was does not seem too hard. > > > > > + if (file->f_cred != current_cred() || uaccess_kernel()) { > > > > + pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n", > > > > + task_tgid_vnr(current), current->comm); > > > > + ret = -EACCES; > > > > + goto unlock; > > > > + } > > > > ret = uhid_dev_create(uhid, &uhid->input_buf); > > > > break; > > > > case UHID_CREATE2: