From: Pavel Machek <pavel@ucw.cz>
To: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>,
Jiri Kosina <jikos@kernel.org>,
lkml <linux-kernel@vger.kernel.org>,
"open list:HID CORE LAYER" <linux-input@vger.kernel.org>,
Roderick Colenbrander <thunderbird2k@gmail.com>
Subject: Re: NULL pointer dereference when writing fuzzed data to /dev/uhid
Date: Mon, 14 Jan 2019 00:09:46 +0100 [thread overview]
Message-ID: <20190113230946.GA18710@amd> (raw)
In-Reply-To: <CAO-hwJK29V7gT3WQXLvsM5qaQgRLsgm2HAnR81vtkrrQAsCuEg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]
Hi!
I just want to note that while these may not be high-priority, they
are still security holes to be fixed.
> > When writing the attached file to /dev/uhid, a NULL dereference occurs
> > in kernel. As I understand, the problem is not UHID-specific, but is
> > related to HID subsystem.
>
> Thanks for the report.
> I wanted to tell you that I started investigating the other private
> report you sent us, but couldn't find the time to properly come with a
> fix as the fuzzed data is hard to discriminate from valid data.
>
> A couple of notes though:
> - writing to uhid needs to be done by root. Any distribution that
> doesn't enforce that is doomed to have several security issues
We want to protect kernel from root, too.
> - we could somehow reproduce those fuzzed data on a USB or Bluetooth
> connection, but that would require physical access to the device, so
> you are doomed also
Not neccessarily. Imagine a kiosk where PC is protected but keyboard
uses USB connection. If our USB stack is buggy, you are doomed... but
you should not be ;-).
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2019-01-13 23:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 12:32 NULL pointer dereference when writing fuzzed data to /dev/uhid Anatoly Trosinenko
2019-01-04 13:25 ` Benjamin Tissoires
2019-01-04 13:47 ` Anatoly Trosinenko
2019-01-04 16:38 ` Roderick Colenbrander
2019-01-04 17:04 ` Anatoly Trosinenko
2019-01-04 21:35 ` Roderick Colenbrander
2019-01-13 23:09 ` Pavel Machek [this message]
2019-01-14 14:23 ` Anatoly Trosinenko
2019-01-14 14:55 ` Benjamin Tissoires
2019-01-14 15:00 ` Anatoly Trosinenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190113230946.GA18710@amd \
--to=pavel@ucw.cz \
--cc=anatoly.trosinenko@gmail.com \
--cc=benjamin.tissoires@redhat.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=thunderbird2k@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).