usb: iowarrior: fix infoleak in iowarrior_read()

Message ID	20240912163413.10019-1-aha310510@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B12C118732B; Thu, 12 Sep 2024 16:34:26 +0000 (UTC) From: Jeongjun Park <aha310510@gmail.com> To: gregkh@linuxfoundation.org Cc: colin.i.king@gmail.com, kees@kernel.org, gustavo@embeddedor.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+b8080cbc8d286a5fa23a@syzkaller.appspotmail.com, Jeongjun Park <aha310510@gmail.com> Subject: [PATCH] usb: iowarrior: fix infoleak in iowarrior_read() Date: Fri, 13 Sep 2024 01:34:13 +0900 Message-Id: <20240912163413.10019-1-aha310510@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	usb: iowarrior: fix infoleak in iowarrior_read() \| expand usb: iowarrior: fix infoleak in iowarrior_read()

Message ID

20240912163413.10019-1-aha310510@gmail.com (mailing list archive)

State

New

Headers

From: Jeongjun Park <aha310510@gmail.com>
To: gregkh@linuxfoundation.org
Cc: colin.i.king@gmail.com,
	kees@kernel.org,
	gustavo@embeddedor.com,
	linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	syzbot+b8080cbc8d286a5fa23a@syzkaller.appspotmail.com,
	Jeongjun Park <aha310510@gmail.com>
Subject: [PATCH] usb: iowarrior: fix infoleak in iowarrior_read()
Date: Fri, 13 Sep 2024 01:34:13 +0900
Message-Id: <20240912163413.10019-1-aha310510@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

usb: iowarrior: fix infoleak in iowarrior_read() | expand

Commit Message

Jeongjun Park Sept. 12, 2024, 4:34 p.m. UTC

The dev->read_queue buffer memory allocated from iowarrior_probe is
allocated in an uninitialized state, and it is possible to copy the
uninitialized memory area to the user buffer through iowarrior_read.

This has a risk of leaking important information, and even if it is
modified to initialize to NULL bytes when allocating memory, there is
no significant change in performance, so I think it is appropriate to
allocate memory through kcalloc instead of kmalloc_array.

KMSAN report:
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:180 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _inline_copy_to_user include/linux/uaccess.h:180 [inline]
 _copy_to_user+0xbc/0x110 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:209 [inline]
 iowarrior_read+0xb02/0xdc0 drivers/usb/misc/iowarrior.c:326
 vfs_read+0x2a1/0xf60 fs/read_write.c:474
 ksys_read+0x20f/0x4c0 fs/read_write.c:619
 __do_sys_read fs/read_write.c:629 [inline]
 __se_sys_read fs/read_write.c:627 [inline]
 __x64_sys_read+0x93/0xe0 fs/read_write.c:627
 x64_sys_call+0x3055/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:1
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:3998 [inline]
 slab_alloc_node mm/slub.c:4041 [inline]
 __do_kmalloc_node mm/slub.c:4161 [inline]
 __kmalloc_noprof+0x661/0xf30 mm/slub.c:4174
 kmalloc_noprof include/linux/slab.h:685 [inline]
 kmalloc_array_noprof include/linux/slab.h:726 [inline]
 iowarrior_probe+0x10ea/0x1b90 drivers/usb/misc/iowarrior.c:836
 usb_probe_interface+0xd6f/0x1350 drivers/usb/core/driver.c:399
 really_probe+0x4db/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
 driver_probe_device+0x72/0x890 drivers/base/dd.c:829
 __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
 bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
 __device_attach+0x3c1/0x650 drivers/base/dd.c:1029
 device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
 device_add+0x13aa/0x1ba0 drivers/base/core.c:3682
 usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:254
 usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:294
 really_probe+0x4db/0xd90 drivers/base/dd.c:657
 __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:799
 driver_probe_device+0x72/0x890 drivers/base/dd.c:829
 __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:957
 bus_for_each_drv+0x403/0x620 drivers/base/bus.c:457
 __device_attach+0x3c1/0x650 drivers/base/dd.c:1029
 device_initial_probe+0x32/0x40 drivers/base/dd.c:1078
 bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:532
 device_add+0x13aa/0x1ba0 drivers/base/core.c:3682
 usb_new_device+0x15f4/0x2470 drivers/usb/core/hub.c:2651
 hub_port_connect drivers/usb/core/hub.c:5521 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
 port_event drivers/usb/core/hub.c:5821 [inline]
 hub_event+0x4ffb/0x72d0 drivers/usb/core/hub.c:5903
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3312
 worker_thread+0xea7/0x14d0 kernel/workqueue.c:3389
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Bytes 0-72 of 73 are uninitialized
Memory access of size 73 starts at ffff88811bbc6000
Data copied to user address 0000000020000000

CPU: 0 UID: 0 PID: 5938 Comm: syz.0.15 Not tainted 6.11.0-rc7-syzkaller-g77f587896757 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================

Reported-by: syzbot+b8080cbc8d286a5fa23a@syzkaller.appspotmail.com
Tested-by: syzbot+b8080cbc8d286a5fa23a@syzkaller.appspotmail.com
Fixes: 23feefda2239 ("usb: iowarrior: replace kmalloc with kmalloc_array")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 drivers/usb/misc/iowarrior.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--

Comments

Oliver Neukum Sept. 12, 2024, 5:07 p.m. UTC | #1

On 12.09.24 18:34, Jeongjun Park wrote:
> The dev->read_queue buffer memory allocated from iowarrior_probe is
> allocated in an uninitialized state, and it is possible to copy the
> uninitialized memory area to the user buffer through iowarrior_read.

Hi,

I am very sorry, but this is not a proper fix. That this happens
shows that the driver has a bug in iowarrior_read(). Zeroing out
the buffer just papers over it.

	Regards
		Oliver

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index 6d28467ce352..5240e05c094e 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -831,9 +831,9 @@  static int iowarrior_probe(struct usb_interface *interface,
 			 dev->int_in_buffer, dev->report_size,
 			 iowarrior_callback, dev,
 			 dev->int_in_endpoint->bInterval);
-	/* create an internal buffer for interrupt data from the device */
+	/* create an internal buffer for interrupt data from the device and initialize it */
 	dev->read_queue =
-	    kmalloc_array(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
+	    kcalloc(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
 			  GFP_KERNEL);
 	if (!dev->read_queue)
 		goto error;

usb: iowarrior: fix infoleak in iowarrior_read()

Commit Message

Comments

Patch