Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp13470821ybl;
        Sun, 29 Dec 2019 12:41:02 -0800 (PST)
X-Google-Smtp-Source: APXvYqx4JKuMI9G+h7j4U4SWjeM3m/eX1ULiqPdkBtsOXlMLlI2TDxrlnZx3OiFVK7qEO6ZcW83U
X-Received: by 2002:a9d:6f82:: with SMTP id h2mr70378714otq.69.1577652061991;
        Sun, 29 Dec 2019 12:41:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1577652061; cv=none;
        d=google.com; s=arc-20160816;
        b=z9zwTp+/ago4yp7iTsf9tqhagwFDXDy0DoRwWVi9v0hWZlB1y0rkI00yoF5nHB3RD5
         6upPggwoTZxhFzjNOFZhm7BAYSuUy4P7xTbQP7TJMu47iKQojXknqZlDzYzK9zLZS3YA
         kGieqIY+TWay7TvQS0pJjtaCfcXw4EY1rOrPhSDeyijsIxccQc1uaPbsJpB6kWxU0bPh
         gT8d07C2kfTB/41U073WB44qQnT7Tz/hu0jROtt9w2g+YQ8R1Rx7HEnR7Au58Yu7+98u
         63fwZf3G2CgS6SF+qH+48Imj2XiPQshOfeI0ltWo+nDPrtXOp5yUFb6s1gBGInUFgWlm
         RrDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=SVfBDc0Gb2kzyTRYdWfSV2Fr19ImHvx4nWEtENpIKXk=;
        b=lMYNZ63QWDFTqwrEkE2XbN1wumIs1SC53ktxQfvPJaG1M2OdC4k0sdsZB8P4tiO+V5
         9CkRxBan56+U07LBbc5yVGW/oEGjJAfO5PsN22j8uXpDHuoBm1jTcsXSuVTqwBtfN5Z3
         rtSw4KhgL3TxP620LBp9mls1MFQdUNcLSzNwu+xp7sBSBRyq01K7nW1R8yTG3/IjQT4Y
         j1a2xmaZudzNRRa0ylMKxl8T19qui+3qj/0BTJS5PHAwEaYYSOfK671p8tX0Rod+NClN
         YpFQvaeOHGk0uYzsan167hOo6EtyN0JUJU6DGRTDdOpsUyb8KHIjO7JLYK/f1LWhBOOJ
         +yZw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="f/zSKrO4";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e15si13713853oti.29.2019.12.29.12.40.50;
        Sun, 29 Dec 2019 12:41:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="f/zSKrO4";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730173AbfL2RlH (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Sun, 29 Dec 2019 12:41:07 -0500
Received: from mail.kernel.org ([198.145.29.99]:57244 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729027AbfL2Raq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Dec 2019 12:30:46 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 27C3520722;
        Sun, 29 Dec 2019 17:30:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1577640645;
        bh=a7rI37hFikzC3UaiQXhfFe1YXGRjSfgDaiUuxkZ8SEw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=f/zSKrO42mLPA8NkHh4OkFTajauURw57f18wtpm7Nz4r4oJoqhT9gMXiaNytOQ9cj
         oEOOxVvymtnlw6zOdri1xikwLTgQ8MUFL/hh1TDrWtWKD/hSc71U3hW9jZNQu1UXMx
         s1X2/rgXFa7fW+e5DzO6lPgbWyhoFs1TKa54YmwU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Ingo Rohloff <ingo.rohloff@lauterbach.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 079/219] usb: usbfs: Suppress problematic bind and unbind uevents.
Date:   Sun, 29 Dec 2019 18:18:01 +0100
Message-Id: <20191229162517.692370357@linuxfoundation.org>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20191229162508.458551679@linuxfoundation.org>
References: <20191229162508.458551679@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ingo Rohloff <ingo.rohloff@lauterbach.com>

[ Upstream commit abb0b3d96a1f9407dd66831ae33985a386d4200d ]

commit 1455cf8dbfd0 ("driver core: emit uevents when device is bound
to a driver") added bind and unbind uevents when a driver is bound or
unbound to a physical device.

For USB devices which are handled via the generic usbfs layer (via
libusb for example), this is problematic:
Each time a user space program calls
   ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
and then later
   ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
The kernel will now produce a bind or unbind event, which does not
really contain any useful information.

This allows a user space program to run a DoS attack against programs
which listen to uevents (in particular systemd/eudev/upowerd):
A malicious user space program just has to call in a tight loop

   ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
   ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);

With this loop the malicious user space program floods the kernel and
all programs listening to uevents with tons of bind and unbind
events.

This patch suppresses uevents for ioctls USBDEVFS_CLAIMINTERFACE and
USBDEVFS_RELEASEINTERFACE.

Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com>
Link: https://lore.kernel.org/r/20191011115518.2801-1-ingo.rohloff@lauterbach.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/core/devio.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 29c6414f48f1..00204824bffd 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -739,8 +739,15 @@ static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
 	intf = usb_ifnum_to_if(dev, ifnum);
 	if (!intf)
 		err = -ENOENT;
-	else
+	else {
+		unsigned int old_suppress;
+
+		/* suppress uevents while claiming interface */
+		old_suppress = dev_get_uevent_suppress(&intf->dev);
+		dev_set_uevent_suppress(&intf->dev, 1);
 		err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
+		dev_set_uevent_suppress(&intf->dev, old_suppress);
+	}
 	if (err == 0)
 		set_bit(ifnum, &ps->ifclaimed);
 	return err;
@@ -760,7 +767,13 @@ static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
 	if (!intf)
 		err = -ENOENT;
 	else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
+		unsigned int old_suppress;
+
+		/* suppress uevents while releasing interface */
+		old_suppress = dev_get_uevent_suppress(&intf->dev);
+		dev_set_uevent_suppress(&intf->dev, 1);
 		usb_driver_release_interface(&usbfs_driver, intf);
+		dev_set_uevent_suppress(&intf->dev, old_suppress);
 		err = 0;
 	}
 	return err;
-- 
2.20.1