Re: BUG: bad usercopy in hidraw_ioctl

[Kees Cook <keescook@chromium.org>]

On Thu, Aug 08, 2019 at 02:49:25AM +0100, Al Viro wrote:
> On Wed, Aug 07, 2019 at 12:58:21PM -0700, Matthew Wilcox wrote:
> > On Wed, Aug 07, 2019 at 12:28:06PM -0700, syzbot wrote:
> > > usercopy: Kernel memory exposure attempt detected from wrapped address
> > > (offset 0, size 0)!
> > > ------------[ cut here ]------------
> > > kernel BUG at mm/usercopy.c:98!
> > 
> > This report is confusing because the arguments to usercopy_abort() are wrong.
> > 
> >         /* Reject if object wraps past end of memory. */
> >         if (ptr + n < ptr)
> >                 usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n);

(Just to reiterate for this branch of the thread: this is an off-by-one
false positive already fixed in -mm for -next. However, see below...)

> > 
> > ptr + n is not 'size', it's what wrapped.  I don't know what 'offset'
> > should be set to, but 'size' should be 'n'.  Presumably we don't want to
> > report 'ptr' because it'll leak a kernel address ... reporting 'n' will
> > leak a range for a kernel address, but I think that's OK?  Admittedly an
> > attacker can pass in various values for 'n', but it'll be quite noisy
> > and leave a trace in the kernel logs for forensics to find afterwards.
> > 
> > > Call Trace:
> > >  check_bogus_address mm/usercopy.c:151 [inline]
> > >  __check_object_size mm/usercopy.c:260 [inline]
> > >  __check_object_size.cold+0xb2/0xba mm/usercopy.c:250
> > >  check_object_size include/linux/thread_info.h:119 [inline]
> > >  check_copy_size include/linux/thread_info.h:150 [inline]
> > >  copy_to_user include/linux/uaccess.h:151 [inline]
> > >  hidraw_ioctl+0x38c/0xae0 drivers/hid/hidraw.c:392
> > 
> > The root problem would appear to be:
> > 
> >                                 else if (copy_to_user(user_arg + offsetof(
> >                                         struct hidraw_report_descriptor,
> >                                         value[0]),
> >                                         dev->hid->rdesc,
> >                                         min(dev->hid->rsize, len)))
> > 
> > That 'min' should surely be a 'max'?
> 
> Surely not.  ->rsize is the amount of data available to copy out; len
> is the size of buffer supplied by userland to copy into.

include/uapi/linux/hid.h:#define HID_MAX_DESCRIPTOR_SIZE 4096

drivers/hid/hidraw.c:
                        if (get_user(len, (int __user *)arg))
                                ret = -EFAULT;
                        else if (len > HID_MAX_DESCRIPTOR_SIZE - 1)
                                ret = -EINVAL;
                        else if (copy_to_user(user_arg + offsetof(
                                struct hidraw_report_descriptor,
                                value[0]),
                                dev->hid->rdesc,
                                min(dev->hid->rsize, len)))
                                ret = -EFAULT;

The copy size must be less than 4096, which means dev->hid->rdesc is
allocated at the highest page of memory. That whole space collides with
the ERR_PTR region which has two bad potential side-effects:

1) something that checks for ERR_PTRs combined with a high allocation
will think it failed and leak the allocation.

2) something that doesn't check ERR_PTRs might try to stomp on an actual
allocation in that area.

How/why is there memory allocated there, I thought it was intentionally
left unused specifically for ERR_PTR:

Documentation/x86/x86_64/mm.rst:

     Start addr    | Offset |     End addr     | Size  | VM area description
  ==========================================================================
  ...
  ffffffffffe00000 | -2  MB | ffffffffffffffff |  2 MB | ...unused hole


or is this still a real bug with an invalid dev->hid->rdesc which was
about to fault but usercopy got in the way first?

-- 
Kees Cook