Re: BUG: bad usercopy in hidraw_ioctl
From: Al Viro
Date: Wed Aug 07 2019 - 21:49:49 EST
On Wed, Aug 07, 2019 at 12:58:21PM -0700, Matthew Wilcox wrote:
> On Wed, Aug 07, 2019 at 12:28:06PM -0700, syzbot wrote:
> > usercopy: Kernel memory exposure attempt detected from wrapped address
> > (offset 0, size 0)!
> > ------------[ cut here ]------------
> > kernel BUG at mm/usercopy.c:98!
>
> This report is confusing because the arguments to usercopy_abort() are wrong.
>
> /* Reject if object wraps past end of memory. */
> if (ptr + n < ptr)
> usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n);
>
> ptr + n is not 'size', it's what wrapped. I don't know what 'offset'
> should be set to, but 'size' should be 'n'. Presumably we don't want to
> report 'ptr' because it'll leak a kernel address ... reporting 'n' will
> leak a range for a kernel address, but I think that's OK? Admittedly an
> attacker can pass in various values for 'n', but it'll be quite noisy
> and leave a trace in the kernel logs for forensics to find afterwards.
>
> > Call Trace:
> > check_bogus_address mm/usercopy.c:151 [inline]
> > __check_object_size mm/usercopy.c:260 [inline]
> > __check_object_size.cold+0xb2/0xba mm/usercopy.c:250
> > check_object_size include/linux/thread_info.h:119 [inline]
> > check_copy_size include/linux/thread_info.h:150 [inline]
> > copy_to_user include/linux/uaccess.h:151 [inline]
> > hidraw_ioctl+0x38c/0xae0 drivers/hid/hidraw.c:392
>
> The root problem would appear to be:
>
> else if (copy_to_user(user_arg + offsetof(
> struct hidraw_report_descriptor,
> value[0]),
> dev->hid->rdesc,
> min(dev->hid->rsize, len)))
>
> That 'min' should surely be a 'max'?
Surely not. ->rsize is the amount of data available to copy out; len
is the size of buffer supplied by userland to copy into.
BTW, why is it playing those games with offsetof, anyway? What's wrong
with
struct hidraw_report_descriptor __user *p = user_arg;
...
get_user(&p->size)
...
copy_to_user(p->value, ...)