From patchwork Thu Nov 17 15:45:42 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1705137
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=HCrCAbV/;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NCkln6HkFz23n2
	for <incoming@patchwork.ozlabs.org>; Fri, 18 Nov 2022 02:45:56 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ovh5K-0003Tm-4K; Thu, 17 Nov 2022 15:45:50 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1ovh5I-0003Sj-60
 for kernel-team@lists.ubuntu.com; Thu, 17 Nov 2022 15:45:48 +0000
Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com
 [209.85.160.197])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 07FD13F570
 for <kernel-team@lists.ubuntu.com>; Thu, 17 Nov 2022 15:45:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1668699948;
 bh=ZL5myjsxaug5p3JoBYNYYQRl/0i4bEGq2j5nyg8/8Q0=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=HCrCAbV/1rQfJJhqsniGtHK1tFJc4Q/b2xM6EUxqRBQoDtd6IvvwuKQlV0UHezkqz
 P2WUkn/Edazgyhd9O0byx9TcgZxa7OC1Wsl4rwJDCH/9QTRAs0J35l0nHzX0YMwX7g
 pAXfGoSjdRFpKEolbCAbmwgpcCyV3EsnCOE2TmYrx1YcFwl2gnb0xgOCCPn7v/SJkO
 GsZ48dC3ekSSoTB+x+JHdt7wjwWQVfB56MwF4SkSFuaO6KTLmanDbKDTKH7vNpb1rk
 h/q8xI45EtAH89QjwXl88IDOSzft9Dy0NcseTCF9pTq0eJ8DJBfADRf320fc0H7Y/a
 49SS7X2UIG3gw==
Received: by mail-qt1-f197.google.com with SMTP id
 cd6-20020a05622a418600b003a54cb17ad9so2038954qtb.0
 for <kernel-team@lists.ubuntu.com>; Thu, 17 Nov 2022 07:45:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=ZL5myjsxaug5p3JoBYNYYQRl/0i4bEGq2j5nyg8/8Q0=;
 b=wDWFYxQiEj0BDIAeAPQGLr/Y/ACay3f/OPWbrKOBmPQ9anYCWt1pILcT50hjkfXins
 BZZIL/Xhxl771HAoq7MRhg6rhi+v2Hv3nsqMqPK175jT6gHd5oFp7HzLGGyyMPQ7bPUH
 UMcCSEeqMaDuFah26VPDNk5bVa4l5JTpn9PlW9J/ordwzDxgFF16JcEjg1UrgxkKmHCo
 uhCVwNXBlNqIEj/IV5SSFrl4Tkk0cb7dHmbEa0xQka/b2RdmSnNWF/q0og7wKk/iBdQ5
 MeCCR+0hOAjMRJSp5La3rDHs6xAt5AB7tzHJ1AJjDMHqTVegq/kxtNQBnTi7LqFrLOrH
 LrQg==
X-Gm-Message-State: ANoB5pn38wScbG5SzEffUW0lBaYs9ncoSRUzeSliOm1WOYs9YDPvogvI
 WhJpiBDqcroP8ZRbTgwWvhIdpBaAIQnusGaVc2W4ReiVHQ4K/X1Lb/rEozBb47Hqwo3wzNfmYEe
 UwZI7R6IceKVEu4/N1xIWsVf9LvuZXYd6ua8yuT9o/g==
X-Received: by 2002:ac8:548b:0:b0:3a5:8075:2115 with SMTP id
 h11-20020ac8548b000000b003a580752115mr2642485qtq.378.1668699946746;
 Thu, 17 Nov 2022 07:45:46 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf6oEsSk8zFXsqeHEMNGHhw9HqtV7H2SF/azkk2zUlnYAQ2CKVPWDzrct6+r2G7TH1r5IA05hw==
X-Received: by 2002:ac8:548b:0:b0:3a5:8075:2115 with SMTP id
 h11-20020ac8548b000000b003a580752115mr2642475qtq.378.1668699946510;
 Thu, 17 Nov 2022 07:45:46 -0800 (PST)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:b454:e50c:7471:4b7e])
 by smtp.gmail.com with ESMTPSA id
 r13-20020ac8794d000000b0039cc82a319asm513778qtt.76.2022.11.17.07.45.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 17 Nov 2022 07:45:45 -0800 (PST)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/1] usb: mon: make mmapped memory read only
Date: Thu, 17 Nov 2022 10:45:42 -0500
Message-Id: <20221117154542.9567-2-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221117154542.9567-1-yuxuan.luo@canonical.com>
References: <20221117154542.9567-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Tadeusz Struk <tadeusz.struk@linaro.org>

Syzbot found an issue in usbmon module, where the user space client can
corrupt the monitor's internal memory, causing the usbmon module to
crash the kernel with segfault, UAF, etc.

The reproducer mmaps the /dev/usbmon memory to user space, and
overwrites it with arbitrary data, which causes all kinds of issues.

Return an -EPERM error from mon_bin_mmap() if the flag VM_WRTIE is set.
Also clear VM_MAYWRITE to make it impossible to change it to writable
later.

Cc: "Dmitry Vyukov" <dvyukov@google.com>
Cc: stable <stable@kernel.org>
Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon")
Suggested-by: PaX Team <pageexec@freemail.hu>	# for the VM_MAYRITE portion
Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a
Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a659daf63d16aa883be42f3f34ff84235c302198)
CVE-2022-43750
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 drivers/usb/mon/mon_bin.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c
index f48a23adbc35..094e812e9e69 100644
--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -1268,6 +1268,11 @@ static int mon_bin_mmap(struct file *filp, struct vm_area_struct *vma)
 {
 	/* don't do anything here: "fault" will set up page table entries */
 	vma->vm_ops = &mon_bin_vm_ops;
+
+	if (vma->vm_flags & VM_WRITE)
+		return -EPERM;
+
+	vma->vm_flags &= ~VM_MAYWRITE;
 	vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
 	vma->vm_private_data = filp->private_data;
 	mon_bin_vma_open(vma);