On Fri, Oct 11, 2019 at 01:55:18PM +0200, Ingo Rohloff wrote:
> commit 1455cf8dbfd0 ("driver core: emit uevents when device is bound
> to a driver") added bind and unbind uevents when a driver is bound or
> unbound to a physical device.
>
> For USB devices which are handled via the generic usbfs layer (via
> libusb for example), this is problematic:
> Each time a user space program calls
> ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
> and then later
> ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
> The kernel will now produce a bind or unbind event, which does not
> really contain any useful information.
>
> This allows a user space program to run a DoS attack against programs
> which listen to uevents (in particular systemd/eudev/upowerd):
> A malicious user space program just has to call in a tight loop
>
> ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
> ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
>
> With this loop the malicious user space program floods the kernel and
> all programs listening to uevents with tons of bind and unbind
> events.
>
> This patch suppresses uevents for ioctls USBDEVFS_CLAIMINTERFACE and
> USBDEVFS_RELEASEINTERFACE.
>
> Signed-off-by: Ingo Rohloff <[email protected]>
> ---
>
> Notes:
> v2:
> Patch only single file (devio.c), try to only suppress uevents while
> usb_driver_claim_interface/usb_driver_release_interface are called.
> Try to restore old state of dev->kobj.uevent_suppress.
Thanks for cleaning this up. It looks much nicer now. I've queued it
up in my tree, let's see how testing goes :)
thanks,
greg k-h
