Received: by 2002:a17:90a:9103:0:0:0:0 with SMTP id k3csp11818444pjo; Thu, 2 Jan 2020 14:49:45 -0800 (PST) X-Google-Smtp-Source: APXvYqzgShgUDlvIvnXTurGk6mUWfGu+I6jld15+CqrMsVCCq0YNJaAu1kNY07oO84QEVvDnpMDP X-Received: by 2002:a05:6830:1141:: with SMTP id x1mr20900823otq.120.1578005385144; Thu, 02 Jan 2020 14:49:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578005385; cv=none; d=google.com; s=arc-20160816; b=XRNrQ9I6i0C/S8vcSqTzMYgBImrJeXTNls1oDLMi7K2A2YLBZtH5yrPYeJqalb9fe6 ORqdrqupU5hOu5qUsjdv9Zu+n6U18OOnNOjDziVnfI6SLDCRGIX7iehEJahM6aeyd8Xn o05WmLXHOAFXS0TPAhyJYf8vXxINRCsVaxaT2K8mHlmAtVMBl36P6O97cdUuVaTk8Ddw Ub8X6z7hhzhhix57jGWZGXjldMoWvVBVITIDntH/pRvYRsWEhwFcnHo2sjMiwP1ATc7b 2vFg09QR70AE9VVWv4vIv6OPUvIREU0v+6KqbbeFuRfcNxHci8MauTIXtHzobX2qUrED 8HPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=u9IW79qJJ5bQQc2oDaDNC0BlD5FFwr8/rNUWuupHokQ=; b=bSn9iTNjTvWyzJVrWFMVYZYAYAwFLuDR3KTdcO9wXDLH+pg8/oCU/LJcXvk6Hi+yaC U3NtqLd2DPkUmX4pxhZLJsCSX/X5lE95w22j2299SRugEt3ijUPFCk8sBJz1Agj8zlrQ XnLkUgsduJsmsl5drazyadWf7HS0TdZFBjok1mTj/Uqpv6hVaNXR8h1Qzr+8zLdh51FZ mkOc6ZkDksc6E2yn4DAir/X4mIpjIIA8QDdWCzrc1W69Oh8Z55d7myb01MCcDu0RllD1 BhTiNi4lFWwFq5nyGV45zkGDMUBVjMaaOacLH9n9zMgtDruEHCRrulvHXZ6pchswko7K Ojvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Xa7urK43; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y14si29119586otk.237.2020.01.02.14.49.32; Thu, 02 Jan 2020 14:49:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Xa7urK43; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729723AbgABW2X (ORCPT + 99 others); Thu, 2 Jan 2020 17:28:23 -0500 Received: from mail.kernel.org ([198.145.29.99]:57790 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729919AbgABW2Q (ORCPT ); Thu, 2 Jan 2020 17:28:16 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A045A222C3; Thu, 2 Jan 2020 22:28:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578004096; bh=K0mf4DwA2SgNLoG6tok4AMxYIa9rnH7Df8yEE6LbeMk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Xa7urK43eriNZ+OtI7oBkmIQv7RO1WNEPxNiy/jJz+cgr2I35bQB7nRHBEOdX50rk p1Z8pyDApIpDslWDLoTGE+p9niYf0deyqLbrZJrmr22rwN4r4tILoheUzPuRdIvIB1 LqUccglZB7uJ16jjiwKvcDhV7cZAXtwge3QNeVJI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ingo Rohloff , Sasha Levin Subject: [PATCH 4.9 035/171] usb: usbfs: Suppress problematic bind and unbind uevents. Date: Thu, 2 Jan 2020 23:06:06 +0100 Message-Id: <20200102220551.928295408@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200102220546.960200039@linuxfoundation.org> References: <20200102220546.960200039@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ingo Rohloff [ Upstream commit abb0b3d96a1f9407dd66831ae33985a386d4200d ] commit 1455cf8dbfd0 ("driver core: emit uevents when device is bound to a driver") added bind and unbind uevents when a driver is bound or unbound to a physical device. For USB devices which are handled via the generic usbfs layer (via libusb for example), this is problematic: Each time a user space program calls ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr); and then later ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr); The kernel will now produce a bind or unbind event, which does not really contain any useful information. This allows a user space program to run a DoS attack against programs which listen to uevents (in particular systemd/eudev/upowerd): A malicious user space program just has to call in a tight loop ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr); ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr); With this loop the malicious user space program floods the kernel and all programs listening to uevents with tons of bind and unbind events. This patch suppresses uevents for ioctls USBDEVFS_CLAIMINTERFACE and USBDEVFS_RELEASEINTERFACE. Signed-off-by: Ingo Rohloff Link: https://lore.kernel.org/r/20191011115518.2801-1-ingo.rohloff@lauterbach.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/core/devio.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 06a8f645106b..059e71d71b66 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -754,8 +754,15 @@ static int claimintf(struct usb_dev_state *ps, unsigned int ifnum) intf = usb_ifnum_to_if(dev, ifnum); if (!intf) err = -ENOENT; - else + else { + unsigned int old_suppress; + + /* suppress uevents while claiming interface */ + old_suppress = dev_get_uevent_suppress(&intf->dev); + dev_set_uevent_suppress(&intf->dev, 1); err = usb_driver_claim_interface(&usbfs_driver, intf, ps); + dev_set_uevent_suppress(&intf->dev, old_suppress); + } if (err == 0) set_bit(ifnum, &ps->ifclaimed); return err; @@ -775,7 +782,13 @@ static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum) if (!intf) err = -ENOENT; else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) { + unsigned int old_suppress; + + /* suppress uevents while releasing interface */ + old_suppress = dev_get_uevent_suppress(&intf->dev); + dev_set_uevent_suppress(&intf->dev, 1); usb_driver_release_interface(&usbfs_driver, intf); + dev_set_uevent_suppress(&intf->dev, old_suppress); err = 0; } return err; -- 2.20.1