Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3664020imu; Mon, 14 Jan 2019 07:02:29 -0800 (PST) X-Google-Smtp-Source: ALg8bN6PfhRnT87Wpzp2nBHDiLfYDMnRUVd02uX8AOvWEmNw44hOHskbayKW8kpnIWB/BTYsCLER X-Received: by 2002:a63:413:: with SMTP id 19mr12960869pge.7.1547478149640; Mon, 14 Jan 2019 07:02:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547478149; cv=none; d=google.com; s=arc-20160816; b=hDUWWcPIzattvAUtDFMcfNSc5xnDBeNuO0F53dn/qfg8+1M6XSnLXY8+bXvH4UBs+p eqMa1pi/7KaRJrNMHIcxNyTRAN//w4xtaByTMyXFjin72GbQKj63tlofer3FTf4EMe7Y HJhjKcynjmH/EFomGM5zSrN+vhNYGXu75NWDuh4pjYTqV2PGBHdCeTH1t+aD7M3UafhW f/jaFwL+Fae6ohUsNFLPr9DVbQgqdRlNRjlHcadQ3umQ/RsJdLS00whU2DzvDpaou/68 6kV1yGmM7EoTjoPxvZWc8318V3IpvbBcIzBKxRzTtDaceNBjuurqOnijuI3NBCvMpDzJ ZNEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=pir6iph9qC+UhZ1RQ/u/pJbvExoSf4+Ae9K48RYuXUc=; b=SmDrj9Lx5O7aTQHrPsRLQIokvoP9yxFvZfay/ZBMyN68cx5zsTwJNX4QmYY4RqHLVg 1FZaiXSazhQ2grs3OFEBK9NPe5r7gnuNAA6nu8Ruolo3synT3hn89GXo2riIrDony+v+ 2poLWnSlqsuXh9UiOQ/89dWF5TY4c42l4Sud3IM3bzdGZz3YgAvkIyDoH18zXuxeutnH /CtbQgiuHPI+1WYbte5dWc7CaHBQovWQt+BKI5oz93qK3q/4zSI2NB9F3j7Vy7Pu8zOb 5rBWP8iQXVWRHdaGYiX4mLTPcDZMiYZLqpBQgOrmcbnjBHp5YYG35ewMcpWcgDhI6J8t foWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Nj7K/HWA"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x8si443320pll.187.2019.01.14.07.02.14; Mon, 14 Jan 2019 07:02:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Nj7K/HWA"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726761AbfANPAP (ORCPT + 99 others); Mon, 14 Jan 2019 10:00:15 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:46323 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726554AbfANPAO (ORCPT ); Mon, 14 Jan 2019 10:00:14 -0500 Received: by mail-lj1-f195.google.com with SMTP id v15-v6so19270740ljh.13; Mon, 14 Jan 2019 07:00:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=pir6iph9qC+UhZ1RQ/u/pJbvExoSf4+Ae9K48RYuXUc=; b=Nj7K/HWA5hJw3J8CnijeZdHjrhsBe9EaWr1dm/L9v4SCFRcQ5ZTCglucuObRFOlKce mcC0K/e75XhpJq7bg/jV+fpEpWoAv2zOeOEkbFxElZCf9QoX2VWZXrrXsfnVVQIqV7ux /LGE35VcMesYKY2t9sDy3bDxgWAKzMxVX4VvE3GdGy5YgB3uAtOhcXGRTRESawxJH+SI mg4evIKm0mk5pTEsfB932GRgqAC9OYORPILF1al1x6e17mj+GaM/azGB3gt2bBxTfXDs 5gc5gebJC2hE+BGLkK79dKWwF1uKJ3+eYzy+QIrbE5JM84Wz+TrlOM+q35kQBf5j34aV RiBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=pir6iph9qC+UhZ1RQ/u/pJbvExoSf4+Ae9K48RYuXUc=; b=o5XCgf4ngdJHGqpeyVKTZzE1v0ky02hfP9R0q9x0Fjs9Z7Uc34fZkUn6yzrtkUb9T6 Yuz9cMwVq9m+msA9UtSk3RrCiml1/3OIaw37aJ7nlNvoJ+2KejzBa8u2mhj3LD+uH2iT eXsq2ogsvB4uMhVGTn7LJrQGJLJ62F78uelXDp0Wp+e7YtORYzUt/1P5jjpSLKlCoyQP IDkYMJVqrgRrtVaTNG1YEK3hmAGAhJVSaX2rQ5dBaKJNHkWybOmvs5e8Y46rEMLgM+t+ 19QyE63VX+w5jlREENExcFuWmLS16ca9q+fDWa7HeZIdOtXeqBMmDo8J26NfQg9uX4zx YurQ== X-Gm-Message-State: AJcUukekqzUzRx8sPRqJ4UOTZwS8sIsbgwLoTsfhHsu5KDdHbbPvNoYm v2JXNuToo2fOPdjsqaAJWgj2yM+t8+H+2osrJuc= X-Received: by 2002:a2e:1b47:: with SMTP id b68-v6mr12550681ljb.104.1547478012019; Mon, 14 Jan 2019 07:00:12 -0800 (PST) MIME-Version: 1.0 References: <20190113230946.GA18710@amd> In-Reply-To: From: Anatoly Trosinenko Date: Mon, 14 Jan 2019 18:00:01 +0300 Message-ID: Subject: Re: NULL pointer dereference when writing fuzzed data to /dev/uhid To: Benjamin Tissoires Cc: Pavel Machek , Jiri Kosina , lkml , "open list:HID CORE LAYER" , Roderick Colenbrander Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thank you for the explanation! Best regards Anatoly =D0=BF=D0=BD, 14 =D1=8F=D0=BD=D0=B2. 2019 =D0=B3. =D0=B2 17:55, Benjamin Ti= ssoires : > > On Mon, Jan 14, 2019 at 3:23 PM Anatoly Trosinenko > wrote: > > > > > fuzzed data is hard to discriminate from valid data. > > > > Just in case it can be helpful... If it is about manually "parsing" > > descriptors to understand what is wrong by hands, then maybe Kaitai > > Struct parser generator can help. I understand it is probably not > > suited well for in-kernel binary parsing, but given a text-form > > description of a format, it can visualize parsed binary data as a > > hierarchical structure. > > Well, the data and parsing is pretty straightforward (see > http://who-t.blogspot.com/2018/12/understanding-hid-report-descriptors.ht= ml > if you want to have an entertaining understanding, instead of reading > the specs). The problem is the fuzzed data looks like a correct one, > but there is garbage in the middle. > > And we can not simply rely on some global CRC that would prevent > fuzzing because there is none. And the report descriptor is in the > device, so we can't upgrade all of them. > > So in the end, sending a fuzz HID report descriptor is like sending a > language grammar that doesn't mean anything. The parser says, "well, > yes, why not", but sometime the rest of the drivers expect a little > bit more, and this is where it gets hard to see. > > Cheers, > Benjamin > > > > > Best regards > > Anatoly > > > > =D0=BF=D0=BD, 14 =D1=8F=D0=BD=D0=B2. 2019 =D0=B3. =D0=B2 02:09, Pavel M= achek : > > > > > > > > Hi! > > > > > > I just want to note that while these may not be high-priority, they > > > are still security holes to be fixed. > > > > > > > > When writing the attached file to /dev/uhid, a NULL dereference o= ccurs > > > > > in kernel. As I understand, the problem is not UHID-specific, but= is > > > > > related to HID subsystem. > > > > > > > > Thanks for the report. > > > > I wanted to tell you that I started investigating the other private > > > > report you sent us, but couldn't find the time to properly come wit= h a > > > > fix as the fuzzed data is hard to discriminate from valid data. > > > > > > > > A couple of notes though: > > > > - writing to uhid needs to be done by root. Any distribution that > > > > doesn't enforce that is doomed to have several security issues > > > > > > We want to protect kernel from root, too. > > > > > > > - we could somehow reproduce those fuzzed data on a USB or Bluetoot= h > > > > connection, but that would require physical access to the device, s= o > > > > you are doomed also > > > > > > Not neccessarily. Imagine a kiosk where PC is protected but keyboard > > > uses USB connection. If our USB stack is buggy, you are doomed... but > > > you should not be ;-). > > > = Pavel > > > -- > > > (english) http://www.livejournal.com/~pavelmachek > > > (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/hors= es/blog.html