From: Eric Biggers <ebiggers@kernel.org>
To: Jann Horn <jannh@google.com>
Cc: dh.herrmann@googlemail.com, Jiri Kosina <jikos@kernel.org>,
benjamin.tissoires@redhat.com, linux-input@vger.kernel.org,
kernel list <linux-kernel@vger.kernel.org>,
syzkaller-bugs@googlegroups.com,
Dmitry Vyukov <dvyukov@google.com>,
dtor@google.com,
syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com,
stable@vger.kernel.org, Andy Lutomirski <luto@kernel.org>
Subject: Re: [PATCH] HID: uhid: prevent uhid_char_write() under KERNEL_DS
Date: Wed, 14 Nov 2018 13:54:35 -0800 [thread overview]
Message-ID: <20181114215434.GB87768@gmail.com> (raw)
In-Reply-To: <CAG48ez3bPkh+DMPwiebM+r4ozX2CiVY=9=WMBP_xm1qVaSN4sQ@mail.gmail.com>
On Wed, Nov 14, 2018 at 07:18:39PM +0100, 'Jann Horn' via syzkaller-bugs wrote:
> +cc Andy
>
> On Wed, Nov 14, 2018 at 7:03 PM Eric Biggers <ebiggers@kernel.org> wrote:
> > When a UHID_CREATE command is written to the uhid char device, a
> > copy_from_user() is done from a user pointer embedded in the command.
> > When the address limit is KERNEL_DS, e.g. as is the case during
> > sendfile(), this can read from kernel memory. Therefore, UHID_CREATE
> > must not be allowed in this case.
> >
> > For consistency and to make sure all current and future uhid commands
> > are covered, apply the restriction to uhid_char_write() as a whole
> > rather than to UHID_CREATE specifically.
> >
> > Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to
> > Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess
> > helpers fault on kernel addresses"), allowing this bug to be found.
> >
> > Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
>
> Wheeeee, it found something! :)
>
> > Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events")
> > Cc: <stable@vger.kernel.org> # v3.6+
> > Cc: Jann Horn <jannh@google.com>
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
> > drivers/hid/uhid.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
> > index 3c55073136064..e94c5e248b56e 100644
> > --- a/drivers/hid/uhid.c
> > +++ b/drivers/hid/uhid.c
> > @@ -705,6 +705,12 @@ static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
> > int ret;
> > size_t len;
> >
> > + if (uaccess_kernel()) { /* payload may contain a __user pointer */
> > + pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n",
> > + __func__, task_tgid_vnr(current), current->comm);
> > + return -EACCES;
> > + }
>
> If this file can conceivably be opened by a process that doesn't have
> root privileges, this check should be something along the lines of
> ib_safe_file_access() or sg_check_file_access().
>
> Checking for uaccess_kernel() prevents the symptom that syzkaller
> notices - a user being able to cause a kernel memory access -, but it
> doesn't deal with the case where a user opens a file descriptor to
> this device and tricks a more privileged process into writing into it
> (e.g. by passing it to a suid binary as stdout or stderr).
>
Yep, I'll do that.
> Looking closer, I wonder whether this kind of behavior is limited to
> the UHID_CREATE request, which has a comment on it saying "/*
> Obsolete! Use UHID_CREATE2. */". If we could keep this kind of ugly
> kludge away from the code paths you're supposed to be using, that
> would be nice...
>
I wanted to be careful, but yes AFAICS it can be limited to UHID_CREATE only,
so I'll do that instead.
- Eric
next prev parent reply other threads:[~2018-11-14 21:54 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-11 18:26 BUG: GPF in non-whitelisted uaccess (non-canonical address?) syzbot
2018-11-14 0:25 ` syzbot
2018-11-14 12:20 ` David Herrmann
2018-11-14 16:52 ` Dmitry Vyukov
2018-11-14 17:14 ` Eric Biggers
2018-11-14 18:02 ` [PATCH] HID: uhid: prevent uhid_char_write() under KERNEL_DS Eric Biggers
2018-11-14 18:14 ` Dmitry Torokhov
2018-11-14 18:18 ` Jann Horn
2018-11-14 21:54 ` Eric Biggers [this message]
2018-11-14 21:55 ` [PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges Eric Biggers
2018-11-14 22:04 ` Jann Horn
2018-11-14 22:28 ` Dmitry Torokhov
2018-11-14 22:37 ` Jann Horn
2018-11-14 22:46 ` Dmitry Torokhov
2018-11-15 0:39 ` Andy Lutomirski
2018-11-14 23:00 ` Eric Biggers
2018-11-14 23:20 ` Dmitry Torokhov
2018-11-15 8:14 ` Benjamin Tissoires
2018-11-15 12:06 ` David Herrmann
2018-11-15 14:50 ` Andy Lutomirski
2018-11-15 12:09 ` David Herrmann
2018-11-15 14:49 ` Andy Lutomirski
2018-11-19 12:52 ` Jiri Kosina
2018-11-19 13:21 ` David Herrmann
2018-11-19 13:26 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181114215434.GB87768@gmail.com \
--to=ebiggers@kernel.org \
--cc=benjamin.tissoires@redhat.com \
--cc=dh.herrmann@googlemail.com \
--cc=dtor@google.com \
--cc=dvyukov@google.com \
--cc=jannh@google.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.