projects / linux-block.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7b5a589)
usb: require FMODE_WRITE for usbdev_mmap()
authorJann Horn <jannh@google.com>
Wed, 16 Oct 2024 15:24:06 +0000 (17:24 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 17 Oct 2024 06:36:52 +0000 (08:36 +0200)
usbdev_mmap() creates VMAs which can only be used through
usbdev_do_ioctl(), which requires FMODE_WRITE; so usbdev_mmap() is only
useful with FMODE_WRITE.

On typical Linux systems, files at /dev/bus/usb/*/* are mode 0664, so
UIDs without any special privileges can't use usbdev_do_ioctl(), but
they can still execute the usbdev_mmap() codepath.

Check for FMODE_WRITE in usbdev_mmap() to reduce attack surface a little
bit.

Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20241016-usbdev-mmap-require-write-v1-1-6f8256414d5c@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/devio.c patch | blob | blame | history

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 3beb6a862e8084d97c619aacd32a624f1f6db3ce..5363468a282f82b66196623225258a1bb54941aa 100644 (file)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -238,6 +238,9 @@ static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
        dma_addr_t dma_handle = DMA_MAPPING_ERROR;
        int ret;
 
+       if (!(file->f_mode & FMODE_WRITE))
+               return -EPERM;
+
        ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
        if (ret)
                goto error;
Linux 6.x block layer and io_uring tree(s)