Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8113263imu; Thu, 15 Nov 2018 06:51:18 -0800 (PST) X-Google-Smtp-Source: AJdET5esgT8+vZEfomW4fdA5HoQdRLpkq95sf9clJZu+/J9g2b+VYIsoM0jRu7XC9cBUsK9dkPNX X-Received: by 2002:a65:6447:: with SMTP id s7mr6045984pgv.226.1542293478751; Thu, 15 Nov 2018 06:51:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542293478; cv=none; d=google.com; s=arc-20160816; b=1DElut3ORfAAS0p7JFLBTA0l2fTv2vFjXl0QAY+ahP/SAcc1YST+I8pWcn/EqoPzBw Jny+1Qs7Epcd+njwVf/KDOF1885hCC+J8+XtGbNx8ebGqk10K2Il8rvNUVT61mYc/VQ+ ZisBm3ezXZAVKyaP5t+B8tqMVY+3X8xbUVCPxNGDzOiqH5g1aMc6sNJwHqx9vDR5QTkc PGBHyiAGpJ09IwkYmaKqm8ZGTK6Ghx3evI1amexERmkDRD07a1jwmYggn7Urz6l20nUp PuPXX+rnph7ONZcPEJUwp2l1BBDjesD9LFGyCtMQje8Ij8hBQHIl9vSGgNqJeir7izx4 SHYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=x/pndFBxU4DtnoABSN9G0iiUytHbGdRcrz+kXuU6xeA=; b=SRV3HE3M5XggGWRa8/8eXTLy0rGJNeGJtDjmSvX7r3QvlefBBmR4AtVkE6z2d31IIE mrdJQuLwkF3MYxSxUvWIVbqbLgcnTM4UKRkw1dUmueuld7yYasbNARJ095R1FxJr9MUc kOiEZW1h9TpkRpCpNAG1Gr6x5ehD/449jaZ7twoBIHqo4jwZ5WyJCc7G3XvIfUmPqP1C WRHsHcTbkQw54oEvVPh8z5Nqwl6hb4Fe/azJzhYqc7bRZweXqrjTaklgJ3qVHE/Quh3C kYKdONjc0eidHHm/6pl24eAWXoGIPEuLgaRWuAPQ/VkLiiGOUfkLO59fl/TPR4Msi04P X2OA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=uqQ1w3Aq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w61-v6si28407035plb.95.2018.11.15.06.51.01; Thu, 15 Nov 2018 06:51:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=uqQ1w3Aq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388433AbeKPA6Q (ORCPT + 99 others); Thu, 15 Nov 2018 19:58:16 -0500 Received: from mail-pf1-f193.google.com ([209.85.210.193]:35078 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388226AbeKPA6Q (ORCPT ); Thu, 15 Nov 2018 19:58:16 -0500 Received: by mail-pf1-f193.google.com with SMTP id v9-v6so9814174pff.2 for ; Thu, 15 Nov 2018 06:50:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=x/pndFBxU4DtnoABSN9G0iiUytHbGdRcrz+kXuU6xeA=; b=uqQ1w3Aq8uU5Tl/8l/K4t4kPiwxrvU2V2ruFp2JihcZWN9SaUWs1/1i4n2bZyDpgEi sPERDuT7ieIMNGEZsZs6prTxEZncvbPRh4GoWFmMOlK8TsozMzjGnnOLJBNpLKSsCkDl KdXeq1Y6RV0Q1OVeAwwErS4T17wpr+SDB9G0n4ALrYf5dLgwlzOIJEiILLDZANSeSVIG wWBLjTLUxfgDe6AFCLKj0dWJdTA/FYqLNV5g9Tysy4/CuidFV8iPG6tLfuVvsY04BDI/ bJJHPxGMATsIvnQ9qE0TBE93/HUCvcFEc8vot/igCiReYP47mmeqDNZFtEFTJVtCrYb4 oQTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=x/pndFBxU4DtnoABSN9G0iiUytHbGdRcrz+kXuU6xeA=; b=AkKLEKQl7NRiD3AviLn74rl7iKM9MOKtYW0+uiT21mPA+uKPFmOQzCff3jJLKfd8H/ SimvzIpA+dx4oZanuycRHmuPeIWfzPRmZud1I0dAZqU4q8pi+0NngzsFMjw8GlP3Cugu fyXjxdyhdymCsJ0ydnVGORoq0yU1MhqEDtfgGGOXOz6h2Ek+qHrWXmchDFXxrzUZeuIt TLqwMlKuAgZciPImCaVFd90cP4C1tsbm7iY1N7nNR4NeurAxvxgPUYvNZHFqD2a4xFMB HOwQnAbF4uwodyWFae9Lk+vIxBY+tuU1tMPKQmRObSZ9QScELJsVDtr1DGWCnnAYhtJd ugyw== X-Gm-Message-State: AGRZ1gIoXvslY62iUJho2EK1+HLC8B4mXcMBh4q1dNqKy7b/UqA/JH7B 6881wOJOQOowrVI0qTe8mhCeLQ== X-Received: by 2002:aa7:8552:: with SMTP id y18mr6868084pfn.83.1542293407860; Thu, 15 Nov 2018 06:50:07 -0800 (PST) Received: from [100.83.78.174] (74.sub-174-211-6.myvzw.com. [174.211.6.74]) by smtp.gmail.com with ESMTPSA id o12-v6sm36253245pfh.20.2018.11.15.06.50.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Nov 2018 06:50:07 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges From: Andy Lutomirski X-Mailer: iPhone Mail (16A404) In-Reply-To: Date: Thu, 15 Nov 2018 06:50:05 -0800 Cc: Benjamin Tissoires , Dmitry Torokhov , ebiggers@kernel.org, jannh@google.com, Jiri Kosina , "open list:HID CORE LAYER" , linux-kernel , syzkaller-bugs@googlegroups.com, Dmitry Vyukov , syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com, stable , Andy Lutomirski Content-Transfer-Encoding: quoted-printable Message-Id: References: <20181114215509.163600-1-ebiggers@kernel.org> <20181114230046.GC87768@gmail.com> To: David Herrmann Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Nov 15, 2018, at 4:06 AM, David Herrmann wrote:= >=20 > Hey >=20 > On Thu, Nov 15, 2018 at 9:14 AM Benjamin Tissoires > wrote: >>=20 >> On Thu, Nov 15, 2018 at 12:20 AM Dmitry Torokhov wrote:= >>>> I think it's best not to make >>>> assumptions about how the interface will be used and to be consistent w= ith how >>>> other ->write() methods in the kernel handle the misfeature where a __u= ser >>>> pointer in the write() or read() payload is dereferenced. >>>=20 >>> I can see that you might want to check credentials, etc, if interface >>> can be accessed by unprivileged process, however is it a big no no for >>> uhid/userio/uinput devices. >>=20 >> Yep, any sane distribution would restrict the permissions of >> uhid/userio/uinput to only be accessed by root. If that ever changes, >> there is already an issue with the system and it was compromised >> either by a terribly dizzy sysadmin. >=20 > UHID is safe to be used by a non-root user. This does not imply that > you should open up access to the world, but you are free to have a > dedicated group or user with access to uhid. I agree that in most > common desktop-scenarios you should not grant world-access to it, > though. >=20 >>>=20 >>>> Temporarily switching >>>> to USER_DS would only avoid one of the two problems. >>>=20 >>> So because of the above there is only one problem. If your system >>> opened access to uhid to random processes you have much bigger >>> problems than exposing some data from a suid binary. You can spam "rm >>> -rf .; rm -rf /" though uhid if there is interactive session >>> somewhere. >>>=20 >>>>=20 >>>> Do you think the proposed restrictions would actually break anything? >>>=20 >>> It would break if someone uses UHID_CREATE with sendpage. I do not >>> know if anyone does. If we were certain there are no users we'd simply >>> removed UHID_CREATE altogether. >>=20 >> AFAICT, there are 2 users of uhid: >> - bluez for BLE devices (using HID over GATT) >> - hid-replay for debugging. >=20 > There are several more (eg., android bt-broadcom), and UHID_CREATE is > actively used. Dropping support for it will break these use-cases. >=20 >=20 Is the support story for these programs such that we could add a big scary w= arning and remove UHID_CREATE in a couple months?=