From patchwork Sat May 5 04:17:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 10381985 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 10E3960236 for ; Sat, 5 May 2018 04:27:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F356429473 for ; Sat, 5 May 2018 04:27:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E621529475; Sat, 5 May 2018 04:27:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 676F329473 for ; Sat, 5 May 2018 04:27:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750764AbeEEE1D (ORCPT ); Sat, 5 May 2018 00:27:03 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:35584 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750741AbeEEE1D (ORCPT ); Sat, 5 May 2018 00:27:03 -0400 X-Greylist: delayed 564 seconds by postgrey-1.27 at vger.kernel.org; Sat, 05 May 2018 00:27:03 EDT Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 5A17DBC7 for ; Sat, 5 May 2018 04:17:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0n-r5VTFdHp for ; Fri, 4 May 2018 23:17:39 -0500 (CDT) Received: from mail-it0-f69.google.com (mail-it0-f69.google.com [209.85.214.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 2F757AF7 for ; Fri, 4 May 2018 23:17:39 -0500 (CDT) Received: by mail-it0-f69.google.com with SMTP id l204-v6so4606478ita.1 for ; Fri, 04 May 2018 21:17:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=fK/j1ug6T8+97Z4TR+W/3VKYUAlg9ow+hA9NNgWDfcU=; b=ftqaBIprUIq5zyTRrd4px8+Ui0xXXLHhyfXYkZZWyZMX8jq8K9zCXFOWhklpJKgjH2 HxGWQvAZAC84OrssteAZ0jASa05fgZ4kSU5ffjh+zcgiaxHCjRq+YcHtnSoxADCXH199 m1pF0qtkhi9UTDEPNb+JPCKUNP5JNMWXYZwKQplVUSghGNtGeS/xdUosAZWqIROII9MY 4LHuk36P9zmIPIGnZ4MMXw5fNzwX9S6F3f5T7HyD0s3DA7Hi8woq/5cVfWVEvd5vs6ph O1LkfHggeiwKWN4+27tfuJ1aMO40NwMzs+Y79sMDEd+PgbGeoOIJMW2qmvGK1Z/1300C gFaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=fK/j1ug6T8+97Z4TR+W/3VKYUAlg9ow+hA9NNgWDfcU=; b=pJiT/J+YHp+hUqx33vx1MJh+XtQix9IsQBjzcZMlSCYOcOEeB0CxfEfaVWITJ4mZLd Ie1aNReiHO1aZJ/7tEcd472TaP9I7ZTB793Xl3+0iM4JN3xDhHK7AHP81MsftYFcPk0F uRXz2uTAekmKYUCmSgDPJsNQXZS9+pDKwDpSFJJyfcdVca31mqOP380Cqdntbxks4rDs ciV52o62EMmuu7x4KiseX0xbhcP9ALtbcY3QfQlDJ34mWoJHzbc3ei/x/6ponSrpcFPL g59+9sXlnIMPfYYZM3AqPE2XeFq0yDhIdDJiPBZNbce77D9tqVUjj2Mt6G1NJaT4bz9i I74g== X-Gm-Message-State: ALQs6tCsAQTnSY+bPXF5yrq+X6C3u8F+GfYVxaq3Z0rrM24SmWQkS0EJ WggJaI5OYhY3Hk3u0CynO5PrOmdFC5GyefJe0fQug5cPnc90M8ta8JyNKPn2MmX+jvib5UFf2v7 baSXZdU4QISXOScCQ2CD8p/KGC04= X-Received: by 2002:a6b:8cce:: with SMTP id o197-v6mr31674634iod.114.1525493858807; Fri, 04 May 2018 21:17:38 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp+2eN2eUrReKJ4GOucPAQnY/cX/bnvfjvOuoi70nQhC52xWrU1lo4Qp6k6KKIZSPdVGWhSow== X-Received: by 2002:a6b:8cce:: with SMTP id o197-v6mr31674624iod.114.1525493858645; Fri, 04 May 2018 21:17:38 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id o1-v6sm1830085ite.37.2018.05.04.21.17.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 May 2018 21:17:37 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , David Herrmann , Jiri Kosina , Benjamin Tissoires , linux-input@vger.kernel.org (open list:UHID USERSPACE HID IO DRIVER:), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] HID: uhid: fix a missing-check bug Date: Fri, 4 May 2018 23:17:29 -0500 Message-Id: <1525493850-6952-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In uhid_event_from_user(), if it is in_compat_syscall(), the 'type' of the event is first fetched from the 'buffer' in userspace and checked. If the 'type' is UHID_CREATE, it is a messed up request with compat pointer, which could be more than 256 bytes, so it is better allocated from the heap, as mentioned in the comment. Its fields are then prepared one by one instead of using a whole copy. For all other cases, the event object is copied directly from user space. In other words, based on the 'type', the memory size and structure of the event object vary. Given that the 'buffer' resides in userspace, a malicious userspace process can race to change the 'type' between the two copies, which will cause inconsistency issues, potentially security issues. Plus, various operations such as uhid_dev_destroy() and uhid_dev_input() are performed based on 'type' in function uhid_char_write(). If 'type' is modified by user, there could be some issues such as uninitialized uses. To fix this problem, we need to recheck the type after the second fetch to make sure it is not UHID_CREATE. Signed-off-by: Wenwen Wang --- drivers/hid/uhid.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c index 3c55073..0220385 100644 --- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -447,11 +447,17 @@ static int uhid_event_from_user(const char __user *buffer, size_t len, event->u.create.country = compat->country; kfree(compat); - return 0; + } else { + if (copy_from_user(event, buffer, + min(len, sizeof(*event)))) + return -EFAULT; + if (event->type == UHID_CREATE) + return -EINVAL; } - /* All others can be copied directly */ + return 0; } + /* Others can be copied directly */ if (copy_from_user(event, buffer, min(len, sizeof(*event)))) return -EFAULT;