linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] USB: usbfs: Suppress emission of uevents for interfaces handled via usbfs
@ 2019-10-09 10:38 Ingo Rohloff
  2019-10-10 10:24 ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: Ingo Rohloff @ 2019-10-09 10:38 UTC (permalink / raw)
  To: linux-usb, linux-hotplug

From 17d1e75543e26cfe702e7f5b0d4e07e0e45e5250 Mon Sep 17 00:00:00 2001
From: Ingo Rohloff <ingo.rohloff@lauterbach.com>
Date: Tue, 8 Oct 2019 20:27:57 +0200
Subject: [PATCH] USB: usbfs: Suppress emission of uevents for interfaces
 handled via usbfs.

commit 1455cf8dbfd0
("driver core: emit uevents when device is bound to a driver")
added bind/unbind uevents when a driver is bound/unbound
to a physical device.

For USB devices which are handled via the generic usbfs layer
(via libusb for example), this is problematic:
Each time a user space program calls
   ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
and then later
   ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
The kernel will now produce a bind/unbind event,
which does not really contain any useful information.

This allows a user space program to run a DoS attack against
programs which listen to uevents (in particular systemd/eudev/upowerd):
A malicious user space program just has to call in a tight loop

   ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
   ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);

With this loop the malicious user space program floods
the kernel and all programs listening to uevents with
tons of bind/unbind events.

This patch suppresses uevents for interfaces claimed via usbfs.

Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com>
---
 drivers/usb/core/devio.c  | 7 ++++++-
 drivers/usb/core/driver.c | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 3f899552f6e3..a1af1d9b2ae7 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -764,8 +764,13 @@ static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
 	intf = usb_ifnum_to_if(dev, ifnum);
 	if (!intf)
 		err = -ENOENT;
-	else
+	else {
+		/* suppress uevents for devices handled by usbfs */
+		dev_set_uevent_suppress(&intf->dev, 1);
 		err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
+		if (err != 0)
+			dev_set_uevent_suppress(&intf->dev, 0);
+	}
 	if (err == 0)
 		set_bit(ifnum, &ps->ifclaimed);
 	return err;
diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index 2b27d232d7a7..6a15bc5c2869 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -594,6 +594,8 @@ void usb_driver_release_interface(struct usb_driver *driver,
 	 */
 	if (device_is_registered(dev)) {
 		device_release_driver(dev);
+		/* make sure we allow uevents again */
+		dev_set_uevent_suppress(dev, 0);
 	} else {
 		device_lock(dev);
 		usb_unbind_interface(dev);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH] USB: usbfs: Suppress emission of uevents for interfaces handled via usbfs.
@ 2019-10-09  9:21 Ingo Rohloff
  0 siblings, 0 replies; 4+ messages in thread
From: Ingo Rohloff @ 2019-10-09  9:21 UTC (permalink / raw)
  To: linux-usb, linux-hotplug


commit 1455cf8dbfd0
("driver core: emit uevents when device is bound to a driver")
added bind/unbind uevents when a driver is bound/unbound
to a physical device.

For USB devices which are handled via the generic usbfs layer
(via libusb for example), this is problematic:
Each time a user space program calls
   ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
and then later
   ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
The kernel will now produce a bind/unbind event,
which does not really contain any useful information.

This allows a user space program to run a DoS attack against
programs which listen to uevents (in particular systemd/eudev/upowerd):
A malicious user space program just has to call in a tight loop

   ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
   ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);

With this loop the malicious user space program floods
the kernel and all programs listening to uevents with
tons of bind/unbind events.

This patch suppresses uevents for interfaces claimed via usbfs.

Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com>
---
 drivers/usb/core/devio.c  | 7 ++++++-
 drivers/usb/core/driver.c | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 3f899552f6e3..a1af1d9b2ae7 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -764,8 +764,13 @@ static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
 	intf = usb_ifnum_to_if(dev, ifnum);
 	if (!intf)
 		err = -ENOENT;
-	else
+	else {
+		/* suppress uevents for devices handled by usbfs */
+		dev_set_uevent_suppress(&intf->dev, 1);
 		err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
+		if (err != 0)
+			dev_set_uevent_suppress(&intf->dev, 0);
+	}
 	if (err == 0)
 		set_bit(ifnum, &ps->ifclaimed);
 	return err;
diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index 2b27d232d7a7..6a15bc5c2869 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -594,6 +594,8 @@ void usb_driver_release_interface(struct usb_driver *driver,
 	 */
 	if (device_is_registered(dev)) {
 		device_release_driver(dev);
+		/* make sure we allow uevents again */
+		dev_set_uevent_suppress(dev, 0);
 	} else {
 		device_lock(dev);
 		usb_unbind_interface(dev);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-10-10 12:53 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-09 10:38 [PATCH] USB: usbfs: Suppress emission of uevents for interfaces handled via usbfs Ingo Rohloff
2019-10-10 10:24 ` Greg KH
2019-10-10 12:53   ` Ingo Rohloff
  -- strict thread matches above, loose matches on Subject: below --
2019-10-09  9:21 Ingo Rohloff

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).