From patchwork Wed Jan 25 20:06:11 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1731840
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=Ig0JoaOD;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4P2FGc5Jhkz23hg
	for <incoming@patchwork.ozlabs.org>; Thu, 26 Jan 2023 07:06:31 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1pKm2K-0007rZ-Q6; Wed, 25 Jan 2023 20:06:24 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1pKm2I-0007qz-MJ
 for kernel-team@lists.ubuntu.com; Wed, 25 Jan 2023 20:06:22 +0000
Received: from mail-yw1-f200.google.com (mail-yw1-f200.google.com
 [209.85.128.200])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 66F143F5DD
 for <kernel-team@lists.ubuntu.com>; Wed, 25 Jan 2023 20:06:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1674677182;
 bh=o2eHE40KZaqlvLMvyjoxB+7BV6uq3KH9THmlvfo0Gt4=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=Ig0JoaODqpbPqzinE71/Zw3t4lS7kgZs0OpMeJ6O4lH6r3T4/lX9peCiVgSalaVCb
 1CcfBU4Qrh6rJdzrkw+wdrLaqeplZ0JB8rV3k5KZ/F43bm6OGl9TIskJot6atz3bxp
 KE6JgEJp0ew5/yTMThzg0S5gb1UUTYxYj3pw71X6LH1X7aq15kQ9jxpjJoY7/p4aHF
 eEgdf/ShCXnHJcCqAOdlfH26Zaj2j8dns6n9JZnxrnjWcV1aZIf7Dai082vA/3GLPw
 5DWc8f+m6U2deAGTKhVUXj+OW1B2gNxnPuJ2c151o68A0u8YRWM+zc/tF6qZWVby7S
 CMf4bkC5lSApA==
Received: by mail-yw1-f200.google.com with SMTP id
 00721157ae682-506368dc06dso78161437b3.9
 for <kernel-team@lists.ubuntu.com>; Wed, 25 Jan 2023 12:06:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=o2eHE40KZaqlvLMvyjoxB+7BV6uq3KH9THmlvfo0Gt4=;
 b=OXFQd5pQwxv+jLrngP6T6tMaaTKCD7Uo1PpkNlDpF4mR8oAeF/4J+GfYZuapnK7klR
 fYgPecT18f23GpUfRt5RcZH+SjQ4dBUpXMtUFFpV6Uc9ctPkS7bkVoNen2E3RvayyGam
 /gV2LGUPNAHJY5fUbnW3VfwLUzbd5Mijnc9Cln8brvbzSKqGyHo7GlfaZqzn6ZxIxfAS
 KkJLIxRsfyIj6d7JP2sWygXf4cReM9A0Fo/HCgWoZIQ5NhdYW6RlKIvgbaDuteQR61kK
 uMbJYH651Y9GmzfXmyUNsispWmb76b7V2hqQtMYytcV3KZfOE67gryD+uQPw4VMxfuOk
 g3bQ==
X-Gm-Message-State: AO0yUKVfAC1AP3Moi7YTQx73rkjQo3TiQtnhtSO6lSgWyNMaqnaAa1Tc
 BWv+d9pkM5DLIpKeB1ndF0FjUjHVkhHX3VHhyoah2Q3+pDTPg2ngXSAQpz2/pbOnacr1XjN9DZ8
 BT6cCTIBVKsDYAK4SY3zm6bfCF+uULrTk4Jh0xDoSrQ==
X-Received: by 2002:a81:490:0:b0:506:6e26:124f with SMTP id
 138-20020a810490000000b005066e26124fmr2671440ywe.4.1674677180741;
 Wed, 25 Jan 2023 12:06:20 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set/CV1ZL/hnGleiZMifhxH/4dOsrsyWMI+mmvVH7qNOimOhPBCgvYzg978Mwh/veyy48a5GITg==
X-Received: by 2002:a81:490:0:b0:506:6e26:124f with SMTP id
 138-20020a810490000000b005066e26124fmr2671429ywe.4.1674677180527;
 Wed, 25 Jan 2023 12:06:20 -0800 (PST)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:94b3:ae87:bcb6:3bc5])
 by smtp.gmail.com with ESMTPSA id
 n22-20020a05620a223600b006fa22f0494bsm4078276qkh.117.2023.01.25.12.06.19
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 25 Jan 2023 12:06:19 -0800 (PST)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/1] usb: mon: make mmapped memory read only
Date: Wed, 25 Jan 2023 15:06:11 -0500
Message-Id: <20230125200611.25468-2-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230125200611.25468-1-yuxuan.luo@canonical.com>
References: <20230125200611.25468-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Tadeusz Struk <tadeusz.struk@linaro.org>

Syzbot found an issue in usbmon module, where the user space client can
corrupt the monitor's internal memory, causing the usbmon module to
crash the kernel with segfault, UAF, etc.

The reproducer mmaps the /dev/usbmon memory to user space, and
overwrites it with arbitrary data, which causes all kinds of issues.

Return an -EPERM error from mon_bin_mmap() if the flag VM_WRTIE is set.
Also clear VM_MAYWRITE to make it impossible to change it to writable
later.

Cc: "Dmitry Vyukov" <dvyukov@google.com>
Cc: stable <stable@kernel.org>
Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon")
Suggested-by: PaX Team <pageexec@freemail.hu>	# for the VM_MAYRITE portion
Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a
Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a659daf63d16aa883be42f3f34ff84235c302198)
CVE-2022-43750
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 drivers/usb/mon/mon_bin.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c
index f48a23adbc35d..094e812e9e692 100644
--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -1268,6 +1268,11 @@ static int mon_bin_mmap(struct file *filp, struct vm_area_struct *vma)
 {
 	/* don't do anything here: "fault" will set up page table entries */
 	vma->vm_ops = &mon_bin_vm_ops;
+
+	if (vma->vm_flags & VM_WRITE)
+		return -EPERM;
+
+	vma->vm_flags &= ~VM_MAYWRITE;
 	vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
 	vma->vm_private_data = filp->private_data;
 	mon_bin_vma_open(vma);