From: Eric Biggers <ebiggers@kernel.org>
To: David Herrmann <dh.herrmann@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Dmitry Torokhov <dtor@google.com>,
syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
Jiri Kosina <jikos@kernel.org>,
"open list:HID CORE LAYER" <linux-input@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
syzkaller-bugs@googlegroups.com
Subject: Re: BUG: GPF in non-whitelisted uaccess (non-canonical address?)
Date: Wed, 14 Nov 2018 09:14:48 -0800 [thread overview]
Message-ID: <20181114171447.GA87768@gmail.com> (raw)
In-Reply-To: <CACT4Y+b8801QqLe4axBct-cZ2a-jr2S2=MSRhg7rV20bPvUHxQ@mail.gmail.com>
On Wed, Nov 14, 2018 at 08:52:46AM -0800, 'Dmitry Vyukov' via syzkaller-bugs wrote:
> On Wed, Nov 14, 2018 at 4:20 AM, David Herrmann <dh.herrmann@gmail.com> wrote:
> > Hey
> >
> > On Wed, Nov 14, 2018 at 1:25 AM syzbot
> > <syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com> wrote:
> >> syzbot has found a reproducer for the following crash on:
> >>
> >> HEAD commit: ccda4af0f4b9 Linux 4.20-rc2
> >> git tree: upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=13b4e77b400000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=72473edc9bf4eb1c6556
> >> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1646a225400000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=108a6533400000
> >>
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
> >>
> > [...]
> >> BUG: GPF in non-whitelisted uaccess (non-canonical address?)
> >
> > This uses sendpage(2) to feed data from a file into a uhid chardev.
> > The default behavior of the kernel is to create a temporary pipe, then
> > splice from the file into the pipe, and then splice again from the
> > pipe into uhid.
> >
> > The kernel provides default implementations for splicing between files
> > and any other file. The default implementation of `.splice_write()`
> > uses kmap() to map the page from the pipe and then uses the
> > __kernel_write() (which uses .f_op->write()) to push the data into the
> > target file. The problem is, __kernel_write() sets the address-space
> > to KERNEL_DS `set_fs(get_ds())`, thus granting the UHID request access
> > to kernel memory.
> >
> > I see several ways to fix that, the most simple solution is to simply
> > prevent splice/sendpage on uhid (by setting f_op.splice_write to a
> > dummy). Alternatively, we can implement a proper splice helper that
> > takes the page directly, rather than through the __kernel_write()
> > default implementation.
>
> also +dtor for uhid
>
Well, the problem is that uhid_char_write() reads from a user pointer embedded
in the write() payload. (Which really is abusing write(), but I assume it
cannot be changed at this point...) Thus it's unsafe to be called under
KERNEL_DS. So it needs:
if (uaccess_kernel())
return -EACCES;
See sg_check_file_access(), called from sg_read() and sg_write(), for another
example of this in the kernel.
- Eric
next prev parent reply other threads:[~2018-11-14 17:14 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-11 18:26 BUG: GPF in non-whitelisted uaccess (non-canonical address?) syzbot
2018-11-14 0:25 ` syzbot
2018-11-14 12:20 ` David Herrmann
2018-11-14 16:52 ` Dmitry Vyukov
2018-11-14 17:14 ` Eric Biggers [this message]
2018-11-14 18:02 ` [PATCH] HID: uhid: prevent uhid_char_write() under KERNEL_DS Eric Biggers
2018-11-14 18:14 ` Dmitry Torokhov
2018-11-14 18:18 ` Jann Horn
2018-11-14 21:54 ` Eric Biggers
2018-11-14 21:55 ` [PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges Eric Biggers
2018-11-14 22:04 ` Jann Horn
2018-11-14 22:28 ` Dmitry Torokhov
2018-11-14 22:37 ` Jann Horn
2018-11-14 22:46 ` Dmitry Torokhov
2018-11-15 0:39 ` Andy Lutomirski
2018-11-14 23:00 ` Eric Biggers
2018-11-14 23:20 ` Dmitry Torokhov
2018-11-15 8:14 ` Benjamin Tissoires
2018-11-15 12:06 ` David Herrmann
2018-11-15 14:50 ` Andy Lutomirski
2018-11-15 12:09 ` David Herrmann
2018-11-15 14:49 ` Andy Lutomirski
2018-11-19 12:52 ` Jiri Kosina
2018-11-19 13:21 ` David Herrmann
2018-11-19 13:26 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181114171447.GA87768@gmail.com \
--to=ebiggers@kernel.org \
--cc=benjamin.tissoires@redhat.com \
--cc=dh.herrmann@gmail.com \
--cc=dtor@google.com \
--cc=dvyukov@google.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.