usb: require FMODE_WRITE for usbdev_mmap()

Message ID	20241016-usbdev-mmap-require-write-v1-1-6f8256414d5c@google.com (mailing list archive)
State	Accepted
Commit	3ea36dc8ddd72d92d737612507f98dfaf3b77c3f
Headers	show Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D01D02076B3 for <linux-usb@vger.kernel.org>; Wed, 16 Oct 2024 15:24:17 +0000 (UTC) From: Jann Horn <jannh@google.com> Date: Wed, 16 Oct 2024 17:24:06 +0200 Subject: [PATCH] usb: require FMODE_WRITE for usbdev_mmap() Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20241016-usbdev-mmap-require-write-v1-1-6f8256414d5c@google.com> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Jann Horn <jannh@google.com>
Series	usb: require FMODE_WRITE for usbdev_mmap() \| expand usb: require FMODE_WRITE for usbdev_mmap()

Message ID

20241016-usbdev-mmap-require-write-v1-1-6f8256414d5c@google.com (mailing list archive)

State

Accepted

Commit

3ea36dc8ddd72d92d737612507f98dfaf3b77c3f

Headers

From: Jann Horn <jannh@google.com>
Date: Wed, 16 Oct 2024 17:24:06 +0200
Subject: [PATCH] usb: require FMODE_WRITE for usbdev_mmap()
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20241016-usbdev-mmap-require-write-v1-1-6f8256414d5c@google.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
 Jann Horn <jannh@google.com>

Series

usb: require FMODE_WRITE for usbdev_mmap() | expand

Commit Message

Jann Horn Oct. 16, 2024, 3:24 p.m. UTC

usbdev_mmap() creates VMAs which can only be used through
usbdev_do_ioctl(), which requires FMODE_WRITE; so usbdev_mmap() is only
useful with FMODE_WRITE.

On typical Linux systems, files at /dev/bus/usb/*/* are mode 0664, so
UIDs without any special privileges can't use usbdev_do_ioctl(), but
they can still execute the usbdev_mmap() codepath.

Check for FMODE_WRITE in usbdev_mmap() to reduce attack surface a little
bit.

Signed-off-by: Jann Horn <jannh@google.com>
---
 drivers/usb/core/devio.c | 3 +++
 1 file changed, 3 insertions(+)


---
base-commit: eca631b8fe808748d7585059c4307005ca5c5820
change-id: 20241016-usbdev-mmap-require-write-7e56d528d062

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 3beb6a862e80..5363468a282f 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -238,6 +238,9 @@  static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
 	dma_addr_t dma_handle = DMA_MAPPING_ERROR;
 	int ret;
 
+	if (!(file->f_mode & FMODE_WRITE))
+		return -EPERM;
+
 	ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
 	if (ret)
 		goto error;

usb: require FMODE_WRITE for usbdev_mmap()

Commit Message

Patch