From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com,
Jann Horn <jannh@google.com>, Andy Lutomirski <luto@kernel.org>,
Eric Biggers <ebiggers@google.com>, Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 3.18 24/24] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
Date: Mon, 26 Nov 2018 11:51:18 +0100 [thread overview]
Message-ID: <20181126105032.962397181@linuxfoundation.org> (raw)
In-Reply-To: <20181126105029.790599475@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream.
When a UHID_CREATE command is written to the uhid char device, a
copy_from_user() is done from a user pointer embedded in the command.
When the address limit is KERNEL_DS, e.g. as is the case during
sys_sendfile(), this can read from kernel memory. Alternatively,
information can be leaked from a setuid binary that is tricked to write
to the file descriptor. Therefore, forbid UHID_CREATE in these cases.
No other commands in uhid_char_write() are affected by this bug and
UHID_CREATE is marked as "obsolete", so apply the restriction to
UHID_CREATE only rather than to uhid_char_write() entirely.
Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to
Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess
helpers fault on kernel addresses"), allowing this bug to be found.
Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events")
Cc: <stable@vger.kernel.org> # v3.6+
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/uhid.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -12,6 +12,7 @@
#include <linux/atomic.h>
#include <linux/compat.h>
+#include <linux/cred.h>
#include <linux/device.h>
#include <linux/fs.h>
#include <linux/hid.h>
@@ -24,6 +25,7 @@
#include <linux/spinlock.h>
#include <linux/uhid.h>
#include <linux/wait.h>
+#include <linux/uaccess.h>
#define UHID_NAME "uhid"
#define UHID_BUFSIZE 32
@@ -721,6 +723,17 @@ static ssize_t uhid_char_write(struct fi
switch (uhid->input_buf.type) {
case UHID_CREATE:
+ /*
+ * 'struct uhid_create_req' contains a __user pointer which is
+ * copied from, so it's unsafe to allow this with elevated
+ * privileges (e.g. from a setuid binary) or via kernel_write().
+ */
+ if (file->f_cred != current_cred() || uaccess_kernel()) {
+ pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
+ task_tgid_vnr(current), current->comm);
+ ret = -EACCES;
+ goto unlock;
+ }
ret = uhid_dev_create(uhid, &uhid->input_buf);
break;
case UHID_CREATE2:
next prev parent reply other threads:[~2018-11-26 10:53 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-26 10:50 [PATCH 3.18 00/24] 3.18.127-stable review Greg Kroah-Hartman
2018-11-26 10:50 ` [PATCH 3.18 01/24] net-gro: reset skb->pkt_type in napi_reuse_skb() Greg Kroah-Hartman
2018-11-26 10:50 ` [PATCH 3.18 02/24] reiserfs: propagate errors from fill_with_dentries() properly Greg Kroah-Hartman
2018-11-26 10:50 ` [PATCH 3.18 03/24] hfs: prevent btree data loss on root split Greg Kroah-Hartman
2018-11-26 10:50 ` [PATCH 3.18 04/24] hfsplus: " Greg Kroah-Hartman
2018-11-26 10:50 ` [PATCH 3.18 05/24] um: Give start_idle_thread() a return code Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 06/24] fs/exofs: fix potential memory leak in mount option parsing Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 07/24] clk: samsung: exynos5420: Enable PERIS clocks for suspend Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 08/24] s390/vdso: add missing FORCE to build targets Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 09/24] lib/raid6: Fix arm64 test build Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 10/24] i2c: omap: Enable for ARCH_K3 Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 11/24] zram: close udev startup race condition as default groups Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 12/24] Revert "Revert "drm/i915: Fix mutex->owner inspection race under DEBUG_MUTEXES"" Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 13/24] SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 14/24] Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 15/24] media: v4l: event: Add subscription to list before calling "add" operation Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 16/24] uio: Fix an Oops on load Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 17/24] usb: cdc-acm: add entry for Hiro (Conexant) modem Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 18/24] USB: quirks: Add no-lpm quirk for Raydium touchscreens Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 19/24] usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 20/24] misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 21/24] USB: misc: appledisplay: add 20" Apple Cinema Display Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 22/24] ACPI / platform: Add SMB0001 HID to forbidden_id_list Greg Kroah-Hartman
2018-11-26 10:51 ` [PATCH 3.18 23/24] new helper: uaccess_kernel() Greg Kroah-Hartman
2018-11-26 10:51 ` Greg Kroah-Hartman [this message]
2018-11-26 16:29 ` [PATCH 3.18 00/24] 3.18.127-stable review kernelci.org bot
2018-11-26 17:53 ` Harsh Shandilya
2018-11-27 10:01 ` Greg Kroah-Hartman
2018-11-26 19:03 ` Guenter Roeck
2018-11-26 23:51 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181126105032.962397181@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiggers@google.com \
--cc=jannh@google.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox