From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Secunia Research <vuln@secunia.com>,
Shuah Khan <shuahkh@osg.samsung.com>
Subject: [PATCH 4.4 02/74] usbip: prevent vhci_hcd driver from leaking a socket pointer address
Date: Mon, 29 Jan 2018 13:56:07 +0100 [thread overview]
Message-ID: <20180129123847.617716392@linuxfoundation.org> (raw)
In-Reply-To: <20180129123847.507563674@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan <shuahkh@osg.samsung.com>
commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream.
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the
/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.
Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.
As this opens a security hole, the fix replaces socket pointer address with
sockfd.
Reported-by: Secunia Research <vuln@secunia.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/usbip_common.h | 1 +
drivers/usb/usbip/vhci_sysfs.c | 25 +++++++++++++++----------
tools/usb/usbip/libsrc/vhci_driver.c | 8 ++++----
3 files changed, 20 insertions(+), 14 deletions(-)
--- a/drivers/usb/usbip/usbip_common.h
+++ b/drivers/usb/usbip/usbip_common.h
@@ -261,6 +261,7 @@ struct usbip_device {
/* lock for status */
spinlock_t lock;
+ int sockfd;
struct socket *tcp_socket;
struct task_struct *tcp_rx;
--- a/drivers/usb/usbip/vhci_sysfs.c
+++ b/drivers/usb/usbip/vhci_sysfs.c
@@ -39,16 +39,20 @@ static ssize_t status_show(struct device
/*
* output example:
- * prt sta spd dev socket local_busid
- * 000 004 000 000 c5a7bb80 1-2.3
- * 001 004 000 000 d8cee980 2-3.4
+ * port sta spd dev sockfd local_busid
+ * 0000 004 000 00000000 000003 1-2.3
+ * 0001 004 000 00000000 000004 2-3.4
*
- * IP address can be retrieved from a socket pointer address by looking
- * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a
- * port number and its peer IP address.
+ * Output includes socket fd instead of socket pointer address to
+ * avoid leaking kernel memory address in:
+ * /sys/devices/platform/vhci_hcd.0/status and in debug output.
+ * The socket pointer address is not used at the moment and it was
+ * made visible as a convenient way to find IP address from socket
+ * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens
+ * a security hole, the change is made to use sockfd instead.
*/
out += sprintf(out,
- "prt sta spd bus dev socket local_busid\n");
+ "prt sta spd bus dev sockfd local_busid\n");
for (i = 0; i < VHCI_NPORTS; i++) {
struct vhci_device *vdev = port_to_vdev(i);
@@ -60,11 +64,11 @@ static ssize_t status_show(struct device
out += sprintf(out, "%03u %08x ",
vdev->speed, vdev->devid);
out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
+ out += sprintf(out, "%06u", vdev->ud.sockfd);
out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
- } else {
- out += sprintf(out, "000 000 000 0000000000000000 0-0");
- }
+ } else
+ out += sprintf(out, "000 000 000 000000 0-0");
out += sprintf(out, "\n");
spin_unlock(&vdev->ud.lock);
@@ -223,6 +227,7 @@ static ssize_t store_attach(struct devic
vdev->devid = devid;
vdev->speed = speed;
+ vdev->ud.sockfd = sockfd;
vdev->ud.tcp_socket = socket;
vdev->ud.status = VDEV_ST_NOTASSIGNED;
--- a/tools/usb/usbip/libsrc/vhci_driver.c
+++ b/tools/usb/usbip/libsrc/vhci_driver.c
@@ -55,12 +55,12 @@ static int parse_status(const char *valu
while (*c != '\0') {
int port, status, speed, devid;
- unsigned long socket;
+ int sockfd;
char lbusid[SYSFS_BUS_ID_SIZE];
- ret = sscanf(c, "%d %d %d %x %lx %31s\n",
+ ret = sscanf(c, "%d %d %d %x %u %31s\n",
&port, &status, &speed,
- &devid, &socket, lbusid);
+ &devid, &sockfd, lbusid);
if (ret < 5) {
dbg("sscanf failed: %d", ret);
@@ -69,7 +69,7 @@ static int parse_status(const char *valu
dbg("port %d status %d speed %d devid %x",
port, status, speed, devid);
- dbg("socket %lx lbusid %s", socket, lbusid);
+ dbg("sockfd %u lbusid %s", sockfd, lbusid);
/* if a device is connected, look at it */
next prev parent reply other threads:[~2018-01-29 20:12 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-29 12:56 [PATCH 4.4 00/74] 4.4.114-stable review Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 01/74] x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels Greg Kroah-Hartman
2018-01-29 12:56 ` Greg Kroah-Hartman [this message]
2018-02-03 8:30 ` [PATCH 4.4 02/74] usbip: prevent vhci_hcd driver from leaking a socket pointer address Eric Biggers
2018-02-05 14:58 ` Shuah Khan
2018-01-29 12:56 ` [PATCH 4.4 03/74] usbip: Fix implicit fallthrough warning Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 04/74] usbip: Fix potential format overflow in userspace tools Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 05/74] x86/microcode/intel: Fix BDW late-loading revision check Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 06/74] x86/cpu/intel: Introduce macros for Intel family numbers Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 07/74] x86/retpoline: Fill RSB on context switch for affected CPUs Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 08/74] sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 09/74] can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 10/74] can: af_can: canfd_rcv(): " Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 11/74] PM / sleep: declare __tracedata symbols as char[] rather than char Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 12/74] time: Avoid undefined behaviour in ktime_add_safe() Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 13/74] timers: Plug locking race vs. timer migration Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 14/74] Prevent timer value 0 for MWAITX Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 15/74] drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 16/74] drivers: base: cacheinfo: fix boot error message when acpi is enabled Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 17/74] PCI: layerscape: Add "fsl,ls2085a-pcie" compatible ID Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 18/74] PCI: layerscape: Fix MSG TLP drop setting Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 19/74] mmc: sdhci-of-esdhc: add/remove some quirks according to vendor version Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 20/74] fs/select: add vmalloc fallback for select(2) Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 21/74] mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 22/74] hwpoison, memcg: forcibly uncharge LRU pages Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 23/74] cma: fix calculation of aligned offset Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 24/74] mm, page_alloc: fix potential false positive in __zone_watermark_ok Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 25/74] ipc: msg, make msgrcv work with LONG_MIN Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 26/74] x86/ioapic: Fix incorrect pointers in ioapic_setup_resources() Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 27/74] ACPI / processor: Avoid reserving IO regions too early Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 28/74] ACPI / scan: Prefer devices without _HID/_CID for _ADR matching Greg Kroah-Hartman
2018-02-01 8:46 ` Jiri Slaby
2018-02-01 8:57 ` Jiri Slaby
2018-02-01 10:29 ` Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 29/74] ACPICA: Namespace: fix operand cache leak Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 30/74] netfilter: x_tables: speed up jump target validation Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 31/74] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 32/74] netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 33/74] netfilter: nf_ct_expect: remove the redundant slash when policy name is empty Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 34/74] netfilter: nfnetlink_queue: reject verdict request from different portid Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 35/74] netfilter: restart search if moved to other chain Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 36/74] netfilter: nf_conntrack_sip: extend request line validation Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 37/74] netfilter: use fwmark_reflect in nf_send_reset Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 38/74] netfilter: fix IS_ERR_VALUE usage Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 39/74] netfilter: nfnetlink_cthelper: Add missing permission checks Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 40/74] netfilter: xt_osf: " Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 41/74] ext2: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 42/74] reiserfs: fix race in prealloc discard Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 43/74] reiserfs: dont preallocate blocks for extended attributes Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 44/74] reiserfs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 45/74] fs/fcntl: f_setown, avoid undefined behaviour Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 46/74] scsi: libiscsi: fix shifting of DID_REQUEUE host byte Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 47/74] Revert "module: Add retpoline tag to VERMAGIC" Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 48/74] Input: trackpoint - force 3 buttons if 0 button is reported Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 49/74] usb: usbip: Fix possible deadlocks reported by lockdep Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 50/74] usbip: fix stub_rx: get_pipe() to validate endpoint number Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 51/74] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 52/74] usbip: prevent leaking socket pointer address in messages Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 53/74] um: link vmlinux with -no-pie Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.4 54/74] vsyscall: Fix permissions for emulate mode with KAISER/PTI Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 55/74] eventpoll.h: add missing epoll event masks Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 56/74] x86/microcode/intel: Extend BDW late-loading further with LLC size check Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 57/74] hrtimer: Reset hrtimer cpu base proper on CPU hotplug Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 58/74] dccp: dont restart ccid2_hc_tx_rto_expire() if sk in closed state Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 59/74] ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 60/74] ipv6: fix udpv6 sendmsg crash caused by too small MTU Greg Kroah-Hartman
2018-02-19 19:46 ` Ben Hutchings
2018-02-19 19:52 ` Ben Hutchings
2018-02-19 20:06 ` Eric Dumazet
2018-01-29 12:57 ` [PATCH 4.4 61/74] ipv6: ip6_make_skb() needs to clear cork.base.dst Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 62/74] lan78xx: Fix failure in USB Full Speed Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 63/74] net: igmp: fix source address check for IGMPv3 reports Greg Kroah-Hartman
2018-01-30 13:22 ` Florian Wolters
2018-01-30 13:33 ` Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 64/74] tcp: __tcp_hdrlen() helper Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 65/74] net: qdisc_pkt_len_init() should be more robust Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 66/74] pppoe: take ->needed_headroom of lower device into account on xmit Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 67/74] r8169: fix memory corruption on retrieval of hardware statistics Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 68/74] sctp: do not allow the v4 socket to bind a v4mapped v6 address Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 69/74] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 70/74] vmxnet3: repair memory leak Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 71/74] net: Allow neigh contructor functions ability to modify the primary_key Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 72/74] ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 73/74] flow_dissector: properly cap thoff field Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.4 74/74] net: tcp: close sock if net namespace is exiting Greg Kroah-Hartman
2018-01-29 21:30 ` [PATCH 4.4 00/74] 4.4.114-stable review Nathan Chancellor
2018-01-30 7:37 ` Greg Kroah-Hartman
2018-01-29 23:57 ` Shuah Khan
2018-01-30 10:05 ` Naresh Kamboju
2018-01-30 14:20 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180129123847.617716392@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shuahkh@osg.samsung.com \
--cc=stable@vger.kernel.org \
--cc=vuln@secunia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).