Received-SPF: pass (google.com: domain of linux-kernel+bounces-152240-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Message-ID: <e696e720-0cd3-4505-8469-a94815b39467@I-love.SAKURA.ne.jp>
Date: Sat, 20 Apr 2024 20:12:32 +0900
Precedence: bulk
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jirislaby@kernel.org>,
        Andrew Morton
 <akpm@linux-foundation.org>,
        "Starke, Daniel" <daniel.starke@siemens.com>,
        LKML <linux-kernel@vger.kernel.org>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Subject: [PATCH v2] tty: n_gsm: restrict tty devices to attach
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

syzbot is reporting sleep in atomic context, for gsmld_write() is calling
con_write() with spinlock held and IRQs disabled.

Since n_gsm is designed to be used for serial port [1], reject attaching to
virtual consoles and PTY devices, by checking tty's device major/minor
numbers at gsmld_open().

Starke, Daniel commented

  Our application of this protocol is only with specific modems to enable
  circuit switched operation (handling calls, selecting/querying networks,
  etc.) while doing packet switched communication (i.e. IP traffic over
  PPP). The protocol was developed for such use cases.

at [2], but it seems that nobody can define allow list for device numbers
where this protocol should accept. Therefore, this patch defines deny list
for device numbers.

Greg Kroah-Hartman is not happy with use of hard-coded magic numbers [3],
but I don't think we want to update include/uapi/linux/major.h and add
include/uapi/linux/minor.h just for fixing this bug.

Link: https://www.kernel.org/doc/html/v6.8/driver-api/tty/n_gsm.html [1]
Link: https://lkml.kernel.org/r/DB9PR10MB588170E923A6ED8B3D6D9613E0CBA@DB9PR10MB5881.EURPRD10.PROD.OUTLOOK.COM [2]
Link: https://lkml.kernel.org/r/2024020615-stir-dragster-aeb6@gregkh [3]
Reported-by: syzbot <syzbot+dbac96d8e73b61aa559c@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=dbac96d8e73b61aa559c
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
Adding LSM ML to CC list in order to ask for comments if Greg again
complained that we don't want to add sanity check on the kernel side.
I agree that we should fix fuzzers if fuzzers are writing random data
to /dev/mem or /dev/kmem . But for example
https://lkml.kernel.org/r/CAADnVQJQvcZOA_BbFxPqNyRbMdKTBSMnf=cKvW7NJ8LxxP54sA@mail.gmail.com
demonstrates that developers try to fix bugs on the kernel side rather
than tell fuzzers not to do artificial things.

 drivers/tty/n_gsm.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 4036566febcb..14581483af78 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -3623,6 +3623,7 @@ static void gsmld_close(struct tty_struct *tty)
 static int gsmld_open(struct tty_struct *tty)
 {
 	struct gsm_mux *gsm;
+	int major;
 
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
@@ -3630,6 +3631,17 @@ static int gsmld_open(struct tty_struct *tty)
 	if (tty->ops->write == NULL)
 		return -EINVAL;
 
+	major = tty->driver->major;
+	/* Reject Virtual consoles */
+	if (major == 4 && tty->driver->minor_start == 1)
+		return -EINVAL;
+	/* Reject Unix98 PTY masters/slaves */
+	if (major >= 128 && major <= 143)
+		return -EINVAL;
+	/* Reject BSD PTY masters/slaves */
+	if (major >= 2 && major <= 3)
+		return -EINVAL;
+
 	/* Attach our ldisc data */
 	gsm = gsm_alloc_mux();
 	if (gsm == NULL)
-- 
2.18.4