git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

author	Ingo Rohloff <ingo.rohloff@lauterbach.com>
	Fri, 11 Oct 2019 11:55:18 +0000 (13:55 +0200)
committer	Seth Forshee <seth.forshee@canonical.com>
	Mon, 6 Jan 2020 14:15:59 +0000 (08:15 -0600)
commit	ccc8294bcc76a40a1c9d00c21bb31a74e50ae1b6
tree	f25e2381f91b859cad0fea0b1e5077b68cb0424d	tree
parent	0144b06eb66be9bced786b746e916a8f7bfd1cc5	commit \| diff

usb: usbfs: Suppress problematic bind and unbind uevents.

BugLink: https://bugs.launchpad.net/bugs/1858428
[ Upstream commit abb0b3d96a1f9407dd66831ae33985a386d4200d ]

commit 1455cf8dbfd0 ("driver core: emit uevents when device is bound
to a driver") added bind and unbind uevents when a driver is bound or
unbound to a physical device.

For USB devices which are handled via the generic usbfs layer (via
libusb for example), this is problematic:
Each time a user space program calls
   ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
and then later
   ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
The kernel will now produce a bind or unbind event, which does not
really contain any useful information.

This allows a user space program to run a DoS attack against programs
which listen to uevents (in particular systemd/eudev/upowerd):
A malicious user space program just has to call in a tight loop

   ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
   ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);

With this loop the malicious user space program floods the kernel and
all programs listening to uevents with tons of bind and unbind
events.

This patch suppresses uevents for ioctls USBDEVFS_CLAIMINTERFACE and
USBDEVFS_RELEASEINTERFACE.

Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com>
Link: https://lore.kernel.org/r/20191011115518.2801-1-ingo.rohloff@lauterbach.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>