From patchwork Mon Oct 24 11:29:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 8408 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp400042wru; Mon, 24 Oct 2022 04:46:11 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4enKFjPbOgMEEmCqNNTRsKUwxrIyh8S/E/2A49VHcIs4vB5lKLyQIcT8tEGCkzhPupuBvM X-Received: by 2002:a17:907:628f:b0:72f:57da:c33d with SMTP id nd15-20020a170907628f00b0072f57dac33dmr26906869ejc.374.1666611971246; Mon, 24 Oct 2022 04:46:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666611971; cv=none; d=google.com; s=arc-20160816; b=eQaPQIyIRFnKKIvnya50IMslmmCT+oXnSvG1wGfSEuH9yQWjob94mLlKzsBm0vu3rB 21SN7VX9PZQX6E0tCYzB5msp1DPzPVnZl/Pc0+hboSMRAVpw2EKJ+lgEWI9BgUWHf6qi ljjZiKNePdC0MpunDlY8u0Epc54mnxR2GnROrK+AE58j/2k0vd+oHvJaqzWw3WGd3GDs NBLWCOUUu+8A8gg+syh8O2khA9StzojBuXCTkuyvZXfuxoQOpRAPXNxJZajxsOks+loK gAsvtyjLu5IhChAyOH1o5P+Ly/fUtiPQcZE8I+nhvuKBnxdCodPpvRF1jfmF/nU8bQKW odAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=D6asHg7QZVTjMWOrU6D39hTM69mqKoyxHM8lqzzyzYE=; b=HMq+ShOANxTjle9rzjgZZhMr/6X6IWiKcTTy/X3Wv6JR2OSdPmbTGiA4B2vcOjPJ0e KlPCvAhMY791XbD4KDav6CjCdCjh6z+mVkf2DpJKd7hY8sY1GZ809O4U8yKfMR9mjshE lP8sJ7/F+ScoHsGjepMZ3Shv/w7Va1TAjBB8bADLvh9N/tnCSUG9+ZcVLiwuWLXmjB3Q YlDaf11563De9jXL96sx4aq3Xqzb6tCFDyUjG6shZXl3yaPhQy9zHOYHcEC4LPsfCHlX 26IRPIy4Rf25kJkc3MbdColRxleGmnMIvVc2vvzafMSDwKL1MvC4L01QsXcNz111N88P FmOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="rLt2/YJm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e11-20020a17090658cb00b0078e9ca562d8si24151275ejs.879.2022.10.24.04.45.47; Mon, 24 Oct 2022 04:46:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="rLt2/YJm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231345AbiJXLo7 (ORCPT + 99 others); Mon, 24 Oct 2022 07:44:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229682AbiJXLnq (ORCPT ); Mon, 24 Oct 2022 07:43:46 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCB40112E; Mon, 24 Oct 2022 04:40:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 7A4A0CE130F; Mon, 24 Oct 2022 11:39:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8ACE3C433D6; Mon, 24 Oct 2022 11:39:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666611558; bh=RN47miuc4QC2GlUe7aKV+8SGfPx1U5VJI+JT1YJIOLA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rLt2/YJmMw60J2SyL/fHPszEKUUSj30fdMH8jc23M88AZPS2gF05jXTl7NcfJTENg ij2p+BGWimB5fMp+4lXPhAoZFj8N4iHXkgS7ZB++vYzT1DvapqBfF66gdDMhTznApW lippoKp7pPFKzn860HubszMJq9A6d25vGvxisWxw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Dmitry Vyukov" , stable , syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com, Tadeusz Struk , PaX Team Subject: [PATCH 4.9 025/159] usb: mon: make mmapped memory read only Date: Mon, 24 Oct 2022 13:29:39 +0200 Message-Id: <20221024112950.324575967@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221024112949.358278806@linuxfoundation.org> References: <20221024112949.358278806@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747569314688207038?= X-GMAIL-MSGID: =?utf-8?q?1747569314688207038?= From: Tadeusz Struk commit a659daf63d16aa883be42f3f34ff84235c302198 upstream. Syzbot found an issue in usbmon module, where the user space client can corrupt the monitor's internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc. The reproducer mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which causes all kinds of issues. Return an -EPERM error from mon_bin_mmap() if the flag VM_WRTIE is set. Also clear VM_MAYWRITE to make it impossible to change it to writable later. Cc: "Dmitry Vyukov" Cc: stable Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon") Suggested-by: PaX Team # for the VM_MAYRITE portion Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/mon/mon_bin.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1265,6 +1265,11 @@ static int mon_bin_mmap(struct file *fil { /* don't do anything here: "fault" will set up page table entries */ vma->vm_ops = &mon_bin_vm_ops; + + if (vma->vm_flags & VM_WRITE) + return -EPERM; + + vma->vm_flags &= ~VM_MAYWRITE; vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; vma->vm_private_data = filp->private_data; mon_bin_vma_open(vma);