Syzbot found an issue in usbmon where it can corrupt monitor internal memory causing the usbmon to crash with segfault, UAF, etc. The reproducer mmaps the /dev/usbmon memory to userspace and overwrites it with arbitrary data, which causes the issues. To prevent that explicitly clear the VM_WRITE flag in mon_bin_mmap().
Cc: linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon") Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95... Signed-off-by: Tadeusz Struk tadeusz.struk@linaro.org --- drivers/usb/mon/mon_bin.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c index f48a23adbc35..f452fc03093c 100644 --- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1268,6 +1268,7 @@ static int mon_bin_mmap(struct file *filp, struct vm_area_struct *vma) { /* don't do anything here: "fault" will set up page table entries */ vma->vm_ops = &mon_bin_vm_ops; + vma->vm_flags &= ~VM_WRITE; vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; vma->vm_private_data = filp->private_data; mon_bin_vma_open(vma);