[PATCH] usb: gadget: function: rndis: limit # of RNDIS instances to 1000

Linux USB
 help / color / mirror / Atom feed

* [PATCH] usb: gadget: function: rndis: limit # of RNDIS instances to 1000
@ 2022-08-23 20:53 Sergey Shtylyov
  2022-08-24  5:54 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 3+ messages in thread
From: Sergey Shtylyov @ 2022-08-23 20:53 UTC (permalink / raw)
  To: Felipe Balbi, Greg Kroah-Hartman, linux-usb

As follows from #define NAME_TEMPLATE, the procfs code in the RNDIS driver
expects the # of instances to be 3-digit decimal, while the driver calls
ida_simple_get() passing 0 as the 'end' argument which results in actual
max instance # of INT_MAX.  Limit the maximum # of RNDIS instances to 1000
which is still a lot! :-)

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>

---
This patch is against the 'next' branch of Felipe Balbi's 'usb.git' repo...

 drivers/usb/gadget/function/rndis.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: usb/drivers/usb/gadget/function/rndis.c
===================================================================
--- usb.orig/drivers/usb/gadget/function/rndis.c
+++ usb/drivers/usb/gadget/function/rndis.c
@@ -865,7 +865,7 @@ EXPORT_SYMBOL_GPL(rndis_msg_parser);
 
 static inline int rndis_get_nr(void)
 {
-	return ida_simple_get(&rndis_ida, 0, 0, GFP_KERNEL);
+	return ida_simple_get(&rndis_ida, 0, 1000, GFP_KERNEL);
 }
 
 static inline void rndis_put_nr(int nr)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] usb: gadget: function: rndis: limit # of RNDIS instances to 1000
  2022-08-23 20:53 [PATCH] usb: gadget: function: rndis: limit # of RNDIS instances to 1000 Sergey Shtylyov
@ 2022-08-24  5:54 ` Greg Kroah-Hartman
  2022-08-25 21:09   ` Sergey Shtylyov
  0 siblings, 1 reply; 3+ messages in thread
From: Greg Kroah-Hartman @ 2022-08-24  5:54 UTC (permalink / raw)
  To: Sergey Shtylyov; +Cc: Felipe Balbi, linux-usb

On Tue, Aug 23, 2022 at 11:53:26PM +0300, Sergey Shtylyov wrote:
> As follows from #define NAME_TEMPLATE, the procfs code in the RNDIS driver
> expects the # of instances to be 3-digit decimal, while the driver calls
> ida_simple_get() passing 0 as the 'end' argument which results in actual
> max instance # of INT_MAX.  Limit the maximum # of RNDIS instances to 1000
> which is still a lot! :-)
> 
> Found by Linux Verification Center (linuxtesting.org) with the SVACE static
> analysis tool.
> 
> Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
> 
> ---
> This patch is against the 'next' branch of Felipe Balbi's 'usb.git' repo...
> 
>  drivers/usb/gadget/function/rndis.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Index: usb/drivers/usb/gadget/function/rndis.c
> ===================================================================
> --- usb.orig/drivers/usb/gadget/function/rndis.c
> +++ usb/drivers/usb/gadget/function/rndis.c
> @@ -865,7 +865,7 @@ EXPORT_SYMBOL_GPL(rndis_msg_parser);
>  
>  static inline int rndis_get_nr(void)
>  {
> -	return ida_simple_get(&rndis_ida, 0, 0, GFP_KERNEL);
> +	return ida_simple_get(&rndis_ida, 0, 1000, GFP_KERNEL);

Why not just change the procfs code instead?  It's not like anyone
should ever be using this driver anyway.  We should delete it soon, it's
totally broken and insecure as noted in the past :(

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] usb: gadget: function: rndis: limit # of RNDIS instances to 1000
  2022-08-24  5:54 ` Greg Kroah-Hartman
@ 2022-08-25 21:09   ` Sergey Shtylyov
  0 siblings, 0 replies; 3+ messages in thread
From: Sergey Shtylyov @ 2022-08-25 21:09 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Felipe Balbi, linux-usb

Hello!

On 8/24/22 8:54 AM, Greg Kroah-Hartman wrote:

>> As follows from #define NAME_TEMPLATE, the procfs code in the RNDIS driver
>> expects the # of instances to be 3-digit decimal, while the driver calls
>> ida_simple_get() passing 0 as the 'end' argument which results in actual
>> max instance # of INT_MAX.  Limit the maximum # of RNDIS instances to 1000
>> which is still a lot! :-)
>>
>> Found by Linux Verification Center (linuxtesting.org) with the SVACE static
>> analysis tool.
>>
>> Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
>>
>> ---
>> This patch is against the 'next' branch of Felipe Balbi's 'usb.git' repo...
>>
>>  drivers/usb/gadget/function/rndis.c |    2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> Index: usb/drivers/usb/gadget/function/rndis.c
>> ===================================================================
>> --- usb.orig/drivers/usb/gadget/function/rndis.c
>> +++ usb/drivers/usb/gadget/function/rndis.c
>> @@ -865,7 +865,7 @@ EXPORT_SYMBOL_GPL(rndis_msg_parser);
>>  
>>  static inline int rndis_get_nr(void)
>>  {
>> -	return ida_simple_get(&rndis_ida, 0, 0, GFP_KERNEL);
>> +	return ida_simple_get(&rndis_ida, 0, 1000, GFP_KERNEL);
> 
> Why not just change the procfs code instead?

   You mean changing #define NAME_TEMPLATE from "driver/rndis-%03d" to
"driver/rndis-%010d" and then changing the size of the name[] buffers to
24 bytes?

> It's not like anyone should ever be using this driver anyway.
> We should delete it soon, it's
> totally broken and insecure as noted in the past :(

   Oh, I wasn't aware of that... I just got the SVACE reports tossed
at me by the ISP people...

> thanks,
> 
> greg k-h

MBR, Sergey

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-08-25 21:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-23 20:53 [PATCH] usb: gadget: function: rndis: limit # of RNDIS instances to 1000 Sergey Shtylyov
2022-08-24  5:54 ` Greg Kroah-Hartman
2022-08-25 21:09   ` Sergey Shtylyov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox