Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2736937imu; Mon, 19 Nov 2018 05:24:31 -0800 (PST) X-Google-Smtp-Source: AJdET5d29jsTOIXUV+uCp/WbDjxrtCqK1qmWhl2qakQmw3J0IWfcF7Nc8HQ+pdyHITRm+e7GZQzJ X-Received: by 2002:a63:9f19:: with SMTP id g25mr19985929pge.327.1542633871014; Mon, 19 Nov 2018 05:24:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542633870; cv=none; d=google.com; s=arc-20160816; b=b5/ej7H5yVR/RYdevWyieXjzNCOtcTP698U2e4WNxN3IIv/wyDTPwIkSbLl0qOlMkJ s/w6ln3OEIJ3oF9m9GjNExIzCxNKhlbDhsQR+2NYkUI7TfMLKpQPDVf8YUHKX0KwHpzM WD6Mxm7eBa0CCzt9UmC9t02Mw9/8mEZhdWn6lKYUzMSm5eyZ/4SkxbbpVp3TEl6YQP5x E3mSsQlVw7+5kG5UmRA7SEzcMccTRBZKrUpXIok9JddVmXxNWW8nqJsgABzJlY2oYJMx VnCflXDA/9Bn5aAEk2vtgykPb24iY/Ch02X0+uSlGdI4uIuJ+Du49uN12TQU3NxTsFYn ATVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=2BCue+2M0/f1DEp6pP//BGApptyIqgDRAQ+GaVWHHyQ=; b=GFLt9ruFmE9zGR7CcMQ6MCDbbkdvgWVj+bnVldHKCeqPkVaBbEb6cEYRxkVhQavWW3 aq5KMobXKnd3Hp6nQ3HkGR15oysB6Y39bkLNSHz7axwgJn3Rbfmm8Lu6+LVs+A0tWL18 6OFvsFzTQYrSLcLHxlAoCculEhLAUORp3WaxcnqUT21YnAN/A4c5DdcHoBh7sghVZirI q6t2rq0ld3HqedSnokuKbY/Vq0ZRg78yWbPH6pfdB7JmKG90e+iylKDzMMrdJpo+vlnj 1rwsf5Um6A7hBQca8EJ87pJi4bvzK9lm3KgkqTGe27XryY4IVb6ySt+QiUPIfU6MmMM5 /dug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UICJGTVu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2si11089833pfj.207.2018.11.19.05.24.15; Mon, 19 Nov 2018 05:24:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UICJGTVu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729300AbeKSXpg (ORCPT + 99 others); Mon, 19 Nov 2018 18:45:36 -0500 Received: from mail-io1-f65.google.com ([209.85.166.65]:34257 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729246AbeKSXpg (ORCPT ); Mon, 19 Nov 2018 18:45:36 -0500 Received: by mail-io1-f65.google.com with SMTP id f6so19169085iob.1; Mon, 19 Nov 2018 05:21:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2BCue+2M0/f1DEp6pP//BGApptyIqgDRAQ+GaVWHHyQ=; b=UICJGTVu5X/cUeiGuQuZD25efKkD0MP8VZeZ6HPyDeDwh0iOKLguAl4qIGBKKjQg1l fCd0dksjJdpB2KMHgbJ8TeNGakMn3+M6mfRToq6cIhZ9K0ZhPKKClaL8Vz77NWJdrgMF pL6YzVmMLakwb4Qr2UDonuFt5jxPDYx22FU46F1tr+dsi20o7WFEbEIN0ccDmbS3Wp0i xA/BOAkQHhHsaNVxFzoxst0XPIfqI3oggyWJg7N3sz+SAN0BYyHYqe3Z19B2c/Jzt832 +CzAq26aWKxybqLdj+qkzwg7WaIGjy4RJjrOyI3gyr09KJIu9/151Tw+gX2rVwQpTu2L VxMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2BCue+2M0/f1DEp6pP//BGApptyIqgDRAQ+GaVWHHyQ=; b=SJaDdI/3y+vx/fWu3rg4j6foHXslCZSIQ96IZF5t1UvZVK6BskdyeLglYTZp2oLdNp p5fbAAtoksrmiq959PTIEIXLuiwaWRonA+WONTOEHqrqoky3fwyv94lOMSlUhyjs3/aG Y/hqfk48NtAp7P8IF6MXXXXZtzyi6uC5oERcbqfN+uAl+uw+Ip5eYUUtL+T1xN+j90w4 tRt//DX+sHJzZR7SWua8L/Xp5pxweVrege4xGTqyOu8jOzC1mpgwv4A3t3NY1hbWiqJd xeHAOVWVbX5jCyr4d7UtuxZHYTVrAt7OmdjhqA7UElZAQaRcPRN2nFvJPiwsmKRtzapX mo8Q== X-Gm-Message-State: AA+aEWaHt+lNzVj1rFxq3oQPCw7FwoFbkzG7Kij85YgWXuKUtK/2mVJj tGjzW2camlp5XcCNrmEGr1ljW9OtcHMgCE+hWW4= X-Received: by 2002:a6b:f104:: with SMTP id e4mr10655940iog.271.1542633718389; Mon, 19 Nov 2018 05:21:58 -0800 (PST) MIME-Version: 1.0 References: <20181114215509.163600-1-ebiggers@kernel.org> In-Reply-To: From: David Herrmann Date: Mon, 19 Nov 2018 14:21:47 +0100 Message-ID: Subject: Re: [PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges To: Jiri Kosina Cc: ebiggers@kernel.org, Benjamin Tissoires , "open list:HID CORE LAYER" , linux-kernel , syzkaller-bugs@googlegroups.com, Dmitry Vyukov , Dmitry Torokhov , syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com, stable , Jann Horn , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hey On Mon, Nov 19, 2018 at 1:52 PM Jiri Kosina wrote: > > > [ David added to CC ] > > On Wed, 14 Nov 2018, Eric Biggers wrote: > > > From: Eric Biggers > > > > When a UHID_CREATE command is written to the uhid char device, a > > copy_from_user() is done from a user pointer embedded in the command. > > When the address limit is KERNEL_DS, e.g. as is the case during > > sys_sendfile(), this can read from kernel memory. Alternatively, > > information can be leaked from a setuid binary that is tricked to write > > to the file descriptor. Therefore, forbid UHID_CREATE in these cases. > > > > No other commands in uhid_char_write() are affected by this bug and > > UHID_CREATE is marked as "obsolete", so apply the restriction to > > UHID_CREATE only rather than to uhid_char_write() entirely. > > > > Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to > > Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess > > helpers fault on kernel addresses"), allowing this bug to be found. > > > > Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com > > Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events") > > Cc: # v3.6+ > > Cc: Jann Horn > > Cc: Andy Lutomirski > > Signed-off-by: Eric Biggers > > Thanks for the patch. I however believe the fix below is more generic, and > would prefer taking that one in case noone sees any major flaw in that > I've overlooked. Thanks. As Andy rightly pointed out, the credentials check is actually needed. The scenario here is using a uhid-fd as stdout when executing a setuid-program. This will possibly end up reading arbitrary memory from the setuid program and use it as input for the hid-descriptor. To my knowledge, this is a rather small attack surface. UHID is usually a privileged interface, which in itself already gives you ridiculous privileges. Furthermore, it only allows read-access if you happen to be able to craft the message the setuid program writes (which must be a valid user-space pointer, pointing to a valid hid descriptor). But people have been creative in the past, and they will find a way to use this. So I do think Eric's patch here is the way to go. Lastly, this only guards UHID_CREATE, which is already a deprecated interface for several years. I don't think we can drop it any time soon, but at least the other uhid interfaces should be safe. Thanks David