Re: [PATCH] usbip: vhci: validate number_of_packets in RET_SUBMIT response

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
Cc: security@kernel.org, shuah@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] usbip: vhci: validate number_of_packets in RET_SUBMIT response
Date: Sun, 29 Mar 2026 15:25:23 +0200	[thread overview]
Message-ID: <2026032940-corny-cursive-c360@gregkh> (raw)
In-Reply-To: <20260329125437.517980-2-sebasjosue84@gmail.com>

On Sun, Mar 29, 2026 at 06:53:33AM -0600, Sebastian Josue Alba Vives wrote:
> From: Sebastián Alba Vives <sebasjosue84@gmail.com>
> 
> vhci_recv_ret_submit() calls usbip_pack_pdu() which overwrites
> urb->number_of_packets with the value from the network PDU reply
> without any validation. A malicious USB/IP server can set
> number_of_packets to a value larger than the original URB allocation,
> causing usbip_recv_iso() and usbip_pad_iso() to access
> urb->iso_frame_desc[] entries beyond the allocated array.
> 
> This leads to a heap buffer overflow in kernel memory, reachable over
> the network without authentication.
> 
> The attack chain is:
>   1. Client sends isochronous URB with number_of_packets = N
>   2. Server replies with number_of_packets = N' >> N
>   3. usbip_pack_pdu() blindly copies N' into urb->number_of_packets
>   4. usbip_recv_iso() loops N' times over iso_frame_desc[N] → OOB
>   5. usbip_pad_iso() also loops N' times → second OOB
> 
> Save the original number_of_packets before usbip_pack_pdu() and
> validate the returned value does not exceed it. Also add a defensive
> bounds check in usbip_recv_iso() against USBIP_MAX_ISO_PACKETS and
> use array_size() to prevent integer overflow in the allocation.
> 
> Note that stub_rx.c already validates number_of_packets against
> USBIP_MAX_ISO_PACKETS for CMD_SUBMIT on the server side, but no
> equivalent validation existed on the client side for RET_SUBMIT.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
> ---
>  drivers/usb/usbip/usbip_common.c | 18 ++++++++++++++----
>  drivers/usb/usbip/vhci_rx.c      | 27 +++++++++++++++++++++++++++
>  2 files changed, 41 insertions(+), 4 deletions(-)

Please see this series:
	https://lore.kernel.org/r/20260325104841.8282-1-addcontent08@gmail.com

and this follow-on:
	https://lore.kernel.org/r/20260327064449.735-1-nathan.c.rebello@gmail.com

and if both of your patches are still relevant after applying them,
great, send them on as a follow-on patch please.

thanks,

greg k-h

next prev parent reply	other threads:[~2026-03-29 13:26 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-29 12:53 [SECURITY] usbip: vhci: heap buffer overflow via crafted number_of_packets in RET_SUBMIT Sebastian Josue Alba Vives
2026-03-29 12:53 ` [PATCH] usbip: vhci: validate number_of_packets in RET_SUBMIT response Sebastian Josue Alba Vives
2026-03-29 13:25   ` Greg KH [this message]
2026-03-29 13:17 ` [SECURITY] usbip: iso_frame_desc OOB memmove via crafted offset/length Sebastian Josue Alba Vives
2026-03-29 13:17   ` [PATCH] usbip: validate iso_frame_desc offset and length in usbip_recv_iso() Sebastian Josue Alba Vives
2026-03-29 13:24 ` [SECURITY] usbip: vhci: heap buffer overflow via crafted number_of_packets in RET_SUBMIT Greg KH
2026-03-29 13:34   ` Sebastián Alba
2026-03-29 13:50     ` Greg KH
2026-03-29 13:53       ` Sebastián Alba

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026032940-corny-cursive-c360@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=sebasjosue84@gmail.com \
    --cc=security@kernel.org \
    --cc=shuah@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.