From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDB687C for ; Thu, 13 Jul 2023 02:12:15 +0000 (UTC) X-Greylist: delayed 1799 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 12 Jul 2023 19:12:12 PDT Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:242:246e::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 91FCC1FFD; Wed, 12 Jul 2023 19:12:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=MIME-Version:Content-Transfer-Encoding: Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To: Resent-Cc:Resent-Message-ID; bh=m3po4FiRsuRaodVf3w1lKGRDQNG5T/ke8/cTCsTCpi0=; t=1689214333; x=1690423933; b=E22ul75fr+5+v6gvlvmdzVYkzTKgV8KpXxuShdglCbaZkFq K3/tqvuBzXYsmX0aSEtMM+JMqYO2SKNtKGmHxLef2472a+FuJwnC7TRflR37GgdnuOyS38teXpjEY 2exj3/EPBputVLEqTmUTAcZM1PKxO2JE9zYnLwX76Ha7qAdoEW7o/T+UWfRSHSqPpESjc3Qq7L/Is gQehyLr5LQe6ANkqt0UgYXkfsgidVbHvJGZ/vXBTlxcOmNuu++JmCNdlEXKJHHxdDL1gqOYqRCgkp 8YQS98wARzf3d6om4hRSpG9pesthdYT9VvDOj+rUJ+RRQZ3C+BmV30uoO5f3wu/Q==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1qJkC3-0004Hv-1i; Thu, 13 Jul 2023 02:28:27 +0200 Message-ID: <2d26c0028590a80e7aa80487cbeffd5ca6e6a5ea.camel@sipsolutions.net> Subject: Re: [PATCH] USB: disable all RNDIS protocol drivers From: Johannes Berg To: Greg Kroah-Hartman Cc: Oliver Neukum , Enrico Mioso , Jan Engelhardt , linux-kernel@vger.kernel.org, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Kalle Valo , Oleksij Rempel , Maciej =?UTF-8?Q?=C5=BBenczykowski?= , Neil Armstrong , Mauro Carvalho Chehab , Andrzej Pietrasiewicz , Jacopo Mondi , =?UTF-8?Q?=C5=81ukasz?= Stelmach , Laurent Pinchart , linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-wireless@vger.kernel.org, Ilja Van Sprundel , Joseph Tartaro Date: Thu, 13 Jul 2023 02:28:26 +0200 In-Reply-To: <2023071222-asleep-vacancy-4cfa@gregkh> References: <20221123124620.1387499-1-gregkh@linuxfoundation.org> <2023070430-fragment-remember-2fdd@gregkh> <6a4a8980912380085ea628049b5e19e38bcd8e1d.camel@sipsolutions.net> <2023071222-asleep-vacancy-4cfa@gregkh> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-malware-bazaar: not-scanned X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net On Wed, 2023-07-12 at 18:39 +0200, Greg Kroah-Hartman wrote: > On Wed, Jul 12, 2023 at 03:00:55PM +0200, Johannes Berg wrote: > > On Wed, 2023-07-12 at 11:22 +0200, Oliver Neukum wrote: > > >=20 > > > On 04.07.23 08:47, Greg Kroah-Hartman wrote: > > > > On Mon, Jul 03, 2023 at 11:11:57PM +0200, Enrico Mioso wrote: > > > > > Hi all!! > > > > >=20 > > > > > I think the rndis_host USB driver might emit a warning in the dme= sg, but disabling the driver wouldn't be a good idea. > > > > > The TP-Link MR6400 V1 LTE modem and also some ZTE modems integrat= ed in routers do use this protocol. > > > > >=20 > > > > > We may also distinguish between these cases and devices you might= plug in - as they pose different risk levels. > > > >=20 > > > > Again, you have to fully trust the other side of an RNDIS connectio= n, > > > > any hints on how to have the kernel determine that? > >=20 > > > it is a network protocol. So this statement is kind of odd. > > > Are you saying that there are RNDIS messages that cannot be verified > > > for some reason, that still cannot be disclosed? > >=20 > > Agree, it's also just a USB device, so no special trickery with DMA, > > shared buffers, etc. > >=20 > > I mean, yeah, the RNDIS code is really old and almost certainly has a > > severe lack of input validation, but that still doesn't mean it's > > fundamentally impossible. >=20 > You all are going to make me have to write some exploits aren't you... This is getting a bit childish. Nobody ever said that wasn't possible, in fact I did say exactly above that I'm sure since it's old and all it lacks input validation. So yeah, I full well believe that you can write exploits for it. All we said is that your statement of "RNDIS is fundamentally unfixable" doesn't make a lot of sense. If this were the case, all USB drivers would have to "trust the other side" as well, right? johannes