Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7381669imu; Wed, 14 Nov 2018 16:41:21 -0800 (PST) X-Google-Smtp-Source: AJdET5dsd4Sx76EP6E8RYqeG2/flbBEOhJHJGZUMlPKLkHpqq37d+gg92fFsGnSsFiB0yDQm2MTy X-Received: by 2002:a63:63c3:: with SMTP id x186mr3802394pgb.330.1542242481373; Wed, 14 Nov 2018 16:41:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542242481; cv=none; d=google.com; s=arc-20160816; b=z5H1ywnlWFIe9r2bqfzU1WDZFwqBnSOOn11zpJNJjciZDV1Bp8oWBvh+7LMvSx4f41 lkE0HVYh/XpPaPPGCWtsWiaaQEkr5r3q6+po5EZUAH7DOO5GFuRO1090hvRnAVZU2HVo y1pFiBvgwcPWAjfMTLSh7uUoh3bChvbWpCNfRaKlqjDHTaXa/Ot5VVcP23BhLN6TKf29 tJLtnDbrr0CHgcU86dasHv0nDarO+1f084HaeHnbtyDjqqW8+RgBJD+3hjow/AroZrOn iU5tgwxGn+J4erDA5/QtKCKTiQ28r+gS7h01dGQ+Y5W29ObqVJmjsZRd5FOO3T3ZGf2A TV/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=7tyQljsrTZbCJzJ2P/VuLW6YOnQ4+ymJ1Iq+gyU7DFE=; b=tJ9Zpdj2xSmMVGqTY2MQaui/0SONjjxLmndtDL9i3NT3hp2DzDQRHXSVY68+CTxmvc 02hB+XwmOe7NeC46kNZW+cpza4UeMKsmm3588fFStMLFHPm2pRKsBXtU8O6B6VlsBVk6 pQtNuMYDgIwr3IZcOIfO0S/61lrACdGIPaTAnaKGm0d9ISRkC+0/TzF5jYzQAC6Sjmhp 3reC3LM28oFygDWLKTri2ojls3wIHKeicqz7bv78V0oFGL9N11Z4v5X6aCbNAgZDJA/4 ZsTgLstBdXrHd3eBSirSUJKfH7ZJzgFqDJGcfXY8i+ymfeZx/3GVdn/588IfplZtrNu8 vCkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=upgnfF5k; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c132si12653456pga.597.2018.11.14.16.41.06; Wed, 14 Nov 2018 16:41:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=upgnfF5k; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727264AbeKOKpT (ORCPT + 99 others); Thu, 15 Nov 2018 05:45:19 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:43590 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726554AbeKOKpT (ORCPT ); Thu, 15 Nov 2018 05:45:19 -0500 Received: by mail-pf1-f194.google.com with SMTP id g7-v6so8757277pfo.10 for ; Wed, 14 Nov 2018 16:39:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7tyQljsrTZbCJzJ2P/VuLW6YOnQ4+ymJ1Iq+gyU7DFE=; b=upgnfF5kGxF66jIEziBof5uYC+SStkAE2FlwGj6uZtBYwS9651usP1UFCNMXelyGhQ XAl7PfAD1lRhfHoWpOxDiZ3eqpfH5Bxx4oKkogr/dQ9ZPuyUGWSNCXUcZlhCa5u/E89t PT2+VEUEQulJco6ofN6gxvuNoUa74OSuSH3AqNhjn58UWkPOE4n9mNC0tC6zdZ8wRAe9 gsrMBRGi8+ScKKo9Ye1vvNf3qTmTqbZDPOs27uLtO/Ls+tQ7J7LuPQCI/AiQy/iC2cCm n3Tx2oW2pe/xXm4OxZMQvarCr5wzXSdyuf7SOF1mX+MjN4TPOYygsa6vi4yYLxwe80y2 bXZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7tyQljsrTZbCJzJ2P/VuLW6YOnQ4+ymJ1Iq+gyU7DFE=; b=rxr+72Nz3hKOb0P46CFW1AbxZmpCGb2SoD743OqSqmgGnbUKu0nTUYGb2XuCeILqeo Yy2LOmnSLEjGwuKkRuJgVnUvvB1ylWzgqjGMLl6hKkwVdyNWeNYTlwOjUPsJWxO5muw/ /fMnlsDsd7ASAwSlfJSujv+VIKNpbkqt/mHPmUnc/4Pu17x2oo2ZRwx0avD3PXX04yDa +mq+ysyCJ5SY9ndCPDREqXjlk8NU3aVT2Ea66ymoHq0FP/Ps9RjlAgJXvpZytsaM9MfW IFlvAVYSWqAklkURjeX6kPUBM7EbrOzb4kpTMorijMIdigXoOIHvbaa1yajTZwS5GIv4 NJaw== X-Gm-Message-State: AGRZ1gLEbaHBiHfU7EQLSl4RPF5nM6N+RuifN2xIPtBA2WZOivWWpapz u4xEgeJnggY4LyJQOMqc7NdAsw== X-Received: by 2002:a63:f615:: with SMTP id m21mr1828253pgh.428.1542242384587; Wed, 14 Nov 2018 16:39:44 -0800 (PST) Received: from ?IPv6:2600:1012:b00f:2d6f:bc21:1d37:c350:a8ba? ([2600:1012:b00f:2d6f:bc21:1d37:c350:a8ba]) by smtp.gmail.com with ESMTPSA id r81-v6sm55138466pfa.110.2018.11.14.16.39.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Nov 2018 16:39:42 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges From: Andy Lutomirski X-Mailer: iPhone Mail (16A404) In-Reply-To: Date: Wed, 14 Nov 2018 16:39:41 -0800 Cc: jannh@google.com, ebiggers@kernel.org, dh.herrmann@googlemail.com, Jiri Kosina , Benjamin Tissoires , "open list:HID CORE LAYER" , lkml , syzkaller-bugs@googlegroups.com, Dmitry Vyukov , syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com, stable@vger.kernel.org, luto@kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20181114215509.163600-1-ebiggers@kernel.org> To: Dmitry Torokhov Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Nov 14, 2018, at 2:46 PM, Dmitry Torokhov wrote: >=20 >> On Wed, Nov 14, 2018 at 2:38 PM Jann Horn wrote: >>=20 >>> On Wed, Nov 14, 2018 at 11:29 PM Dmitry Torokhov wrote= : >>>> On Wed, Nov 14, 2018 at 2:05 PM Jann Horn wrote: >>>>> On Wed, Nov 14, 2018 at 10:55 PM Eric Biggers wr= ote: >>>>> When a UHID_CREATE command is written to the uhid char device, a >>>>> copy_from_user() is done from a user pointer embedded in the command. >>>>> When the address limit is KERNEL_DS, e.g. as is the case during >>>>> sys_sendfile(), this can read from kernel memory. Alternatively, >>>>> information can be leaked from a setuid binary that is tricked to writ= e >>>>> to the file descriptor. Therefore, forbid UHID_CREATE in these cases.= >>>>>=20 >>>>> No other commands in uhid_char_write() are affected by this bug and >>>>> UHID_CREATE is marked as "obsolete", so apply the restriction to >>>>> UHID_CREATE only rather than to uhid_char_write() entirely. >> [...] >>>>> diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c >> [...] >>>>> @@ -722,6 +723,17 @@ static ssize_t uhid_char_write(struct file *file,= const char __user *buffer, >>>>>=20 >>>>> switch (uhid->input_buf.type) { >>>>> case UHID_CREATE: >>>>> + /* >>>>> + * 'struct uhid_create_req' contains a __user pointer w= hich is >>>>> + * copied from, so it's unsafe to allow this with elev= ated >>>>> + * privileges (e.g. from a setuid binary) or via kerne= l_write(). >>>>> + */ >>>=20 >>> uhid is a privileged interface so we would go from root to less >>> privileged (if at all). If non-privileged process can open uhid it can >>> construct virtual keyboard and inject whatever keystrokes it wants. >>>=20 >>> Also, instead of disallowing access, can we ensure that we switch back >>> to USER_DS before trying to load data from the user pointer? >>=20 >> Does that even make sense? You are using some deprecated legacy >> interface; you interact with it by splicing a request from something >> like a file or a pipe into the uhid device; but the request you're >> splicing through contains a pointer into userspace memory? Do you know >> of anyone who is actually doing that? If not, anyone who does want to >> do this for some reason in the future can just go use UHID_CREATE2 >> instead. >=20 > I do not know if anyone is still using UHID_CREATE with sendpage and > neither do you really. It is all about not breaking userspace without > good reason and here ensuring that we switch to USER_DS and then back > to whatever it was does not seem too hard. It=E2=80=99s about not breaking userspace *except as needed for security fix= es*. User pointers in a write() payload is a big no-no. Also, that f_cred hack is only barely enough. This isn=E2=80=99t just about a= ttacking suid things =E2=80=94 this bug allows poking at the address space o= f an unsuspecting process. So, if a privileged program opens a uhid fd and i= s then tricked into writing untrusted data to the same fd (which is supposed= to be safe), then we have a problem. Fortunately, identically privileged pr= ograms usually still don=E2=80=99t share a cred pointer unless they came fro= m the right place. The real right fix is to remove UHID_CREATE outright. This is terminally bro= ken.