| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Jun 2019 16:27:27 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Alan Stern <stern@...land.harvard.edu>, linux-usb@...r.kernel.org,
Oliver Neukum <oneukum@...e.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] signal/usb: Replace kill_pid_info_as_cred with
kill_pid_usb_asyncio
On Tue, May 21, 2019 at 07:40:35AM -0500, Eric W. Biederman wrote:
>
> The usb support for asyncio encoded one of it's values in the wrong
> field. It should have used si_value but instead used si_addr which is
> not present in the _rt union member of struct siginfo.
>
> The practical result of this is that on a 64bit big endian kernel
> when delivering a signal to a 32bit process the si_addr field
> is set to NULL, instead of the expected pointer value.
>
> This issue can not be fixed in copy_siginfo_to_user32 as the usb
> usage of the the _sigfault (aka si_addr) member of the siginfo
> union when SI_ASYNCIO is set is incompatible with the POSIX and
> glibc usage of the _rt member of the siginfo union.
>
> Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
> dedicated function for this one specific case. There are no other
> users of kill_pid_info_as_cred so this specialization should have no
> impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
> take instead of a siginfo_t which is difficult and error prone, 3
> arguments, a signal number, an errno value, and an address enconded as
> a sigval_t. The encoding of the address as a sigval_t allows the
> code that reads the userspace request for a signal to handle this
> compat issue along with all of the other compat issues.
>
> Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
> the pointer value at the in si_pid (instead of si_addr). That is the
> code now verifies that si_pid and si_addr always occur at the same
> location. Further the code veries that for native structures a value
> placed in si_pid and spilling into si_uid will appear in userspace in
> si_addr (on a byte by byte copy of siginfo or a field by field copy of
> siginfo). The code also verifies that for a 64bit kernel and a 32bit
> userspace the 32bit pointer will fit in si_pid.
>
> I have used the usbsig.c program below written by Alan Stern and
> slightly tweaked by me to run on a big endian machine to verify the
> issue exists (on sparc64) and to confirm the patch below fixes the issue.
>
> /* usbsig.c -- test USB async signal delivery */
>
> static struct usbdevfs_urb urb;
> static struct usbdevfs_disconnectsignal ds;
> static volatile sig_atomic_t done = 0;
>
> void urb_handler(int sig, siginfo_t *info , void *ucontext)
> {
> printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
> sig, info->si_signo, info->si_errno, info->si_code,
> info->si_addr, &urb);
>
> printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
> }
>
> void ds_handler(int sig, siginfo_t *info , void *ucontext)
> {
> printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
> sig, info->si_signo, info->si_errno, info->si_code,
> info->si_addr, &ds);
>
> printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
> done = 1;
> }
>
> int main(int argc, char **argv)
> {
> char *devfilename;
> int fd;
> int rc;
> struct sigaction act;
> struct usb_ctrlrequest *req;
> void *ptr;
> char buf[80];
>
> if (argc != 2) {
> fprintf(stderr, "Usage: usbsig device-file-name\n");
> return 1;
> }
>
> devfilename = argv[1];
> fd = open(devfilename, O_RDWR);
> if (fd == -1) {
> perror("Error opening device file");
> return 1;
> }
>
> act.sa_sigaction = urb_handler;
> sigemptyset(&act.sa_mask);
> act.sa_flags = SA_SIGINFO;
>
> rc = sigaction(SIGUSR1, &act, NULL);
> if (rc == -1) {
> perror("Error in sigaction");
> return 1;
> }
>
> act.sa_sigaction = ds_handler;
> sigemptyset(&act.sa_mask);
> act.sa_flags = SA_SIGINFO;
>
> rc = sigaction(SIGUSR2, &act, NULL);
> if (rc == -1) {
> perror("Error in sigaction");
> return 1;
> }
>
> memset(&urb, 0, sizeof(urb));
> urb.type = USBDEVFS_URB_TYPE_CONTROL;
> urb.endpoint = USB_DIR_IN | 0;
> urb.buffer = buf;
> urb.buffer_length = sizeof(buf);
> urb.signr = SIGUSR1;
>
> req = (struct usb_ctrlrequest *) buf;
> req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
> req->bRequest = USB_REQ_GET_DESCRIPTOR;
> req->wValue = htole16(USB_DT_DEVICE << 8);
> req->wIndex = htole16(0);
> req->wLength = htole16(sizeof(buf) - sizeof(*req));
>
> rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
> if (rc == -1) {
> perror("Error in SUBMITURB ioctl");
> return 1;
> }
>
> rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
> if (rc == -1) {
> perror("Error in REAPURB ioctl");
> return 1;
> }
>
> memset(&ds, 0, sizeof(ds));
> ds.signr = SIGUSR2;
> ds.context = &ds;
> rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
> if (rc == -1) {
> perror("Error in DISCSIGNAL ioctl");
> return 1;
> }
>
> printf("Waiting for usb disconnect\n");
> while (!done) {
> sleep(1);
> }
>
> close(fd);
> return 0;
> }
>
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Cc: linux-usb@...r.kernel.org
> Cc: Alan Stern <stern@...land.harvard.edu>
> Cc: Oliver Neukum <oneukum@...e.com>
> Fixes: v2.3.39
> Cc: stable@...r.kernel.org
> Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
> ---
Ugh, what a mess, thanks for doing this work:
Reviewed-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Powered by blists - more mailing lists