Merge: CVE-2022-43750 kernel: memory corruption in usbmon driver

Herton R. Krzesinski · Herton R. Krzesinski · commit 55cd084c6232 · 2023-02-17T17:15:29.000Z
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2015 ## BUGZILLA Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2157698 ## UPSTREAM STATUS Upstream Status: Patch has been accepted on kernel/git/torvalds/linux.git ## CVE CVE: CVE-2022-43750 ## CONFLICTS None ## BUILD INFORMATION Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=50474173 ## TESTING Functional testing: TBD Smoke test: # modinfo usbmon name: usbmon filename: (builtin) license: GPL file: drivers/usb/mon/usbmon # uname -r 5.14.0-255.rh2157698.el9.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 9.1 (Plow) # rpm -q --changelog kernel-5.14.0-255.rh2157698.el9.x86_64 | head -n2 * Thu Feb 02 2023 Desnes Nunes <desnesn@redhat.com> [5.14.0-255.rh2157698.el9] - usb: mon: make mmapped memory read only (Desnes Nunes) # lscpu | grep -m1 "Model name" Model name: Intel(R) Xeon(R) Platinum 8360Y CPU @ 2.40GHz # dmidecode | grep -A3 '^System Information' System Information Manufacturer: Intel Corporation Product Name: M50CYP2SB2U Version: .................... ## DESCRIPTION This fixes CVE-2022-43750 that causes memory corruption in the usbmon driver. This currently happens due to the possibility of /dev/usbmon memory being mmap to user space, which will lead to a kernel crash. Signed-off-by: Desnes Nunes <desnesn@redhat.com> Approved-by: John B. Wyatt IV <jwyatt@redhat.com> Approved-by: Dean Nelson <dnelson@redhat.com> Approved-by: Torez Smith <torez@redhat.com> Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c
@@ -1268,6 +1268,11 @@ static int mon_bin_mmap(struct file *filp, struct vm_area_struct *vma)
 {
 	/* don't do anything here: "fault" will set up page table entries */
 	vma->vm_ops = &mon_bin_vm_ops;
+
+	if (vma->vm_flags & VM_WRITE)
+		return -EPERM;
+
+	vma->vm_flags &= ~VM_MAYWRITE;
 	vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
 	vma->vm_private_data = filp->private_data;
 	mon_bin_vma_open(vma);
