From: Greg KH <gregkh@linuxfoundation.org>
To: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
Cc: security@kernel.org, shuah@kernel.org, stable@vger.kernel.org
Subject: Re: [SECURITY] usbip: vhci: heap buffer overflow via crafted number_of_packets in RET_SUBMIT
Date: Sun, 29 Mar 2026 15:24:03 +0200 [thread overview]
Message-ID: <2026032939-salt-cod-3bc2@gregkh> (raw)
In-Reply-To: <20260329125437.517980-1-sebasjosue84@gmail.com>
On Sun, Mar 29, 2026 at 06:53:32AM -0600, Sebastian Josue Alba Vives wrote:
> A malicious USB/IP server can send a RET_SUBMIT response with
> number_of_packets larger than the original URB allocation, causing
> usbip_recv_iso() and usbip_pad_iso() to write beyond
> urb->iso_frame_desc[], overflowing the kernel heap.
Ok, this is just getting funny now...
What is the AI prompt that you all are using to "find" these usbip
"security bugs"? This is like the 3rd or 4th "report" of this in the
past week or so.
Anyway, as always, the usbip connection is considered "trusted", never
connect to a usbip device you do not trust (on either side), and patches
for this where invalid packets are sent are always appreciated.
Note, patches for this have been sent on the linux-usb mailing list in
the past few days, so you might want to have checked there first to be
sure you didn't create the same thing that others have already
submitted.
thanks,
greg k-h
next prev parent reply other threads:[~2026-03-29 13:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 12:53 [SECURITY] usbip: vhci: heap buffer overflow via crafted number_of_packets in RET_SUBMIT Sebastian Josue Alba Vives
2026-03-29 12:53 ` [PATCH] usbip: vhci: validate number_of_packets in RET_SUBMIT response Sebastian Josue Alba Vives
2026-03-29 13:25 ` Greg KH
2026-03-29 13:17 ` [SECURITY] usbip: iso_frame_desc OOB memmove via crafted offset/length Sebastian Josue Alba Vives
2026-03-29 13:17 ` [PATCH] usbip: validate iso_frame_desc offset and length in usbip_recv_iso() Sebastian Josue Alba Vives
2026-03-29 13:24 ` Greg KH [this message]
2026-03-29 13:34 ` [SECURITY] usbip: vhci: heap buffer overflow via crafted number_of_packets in RET_SUBMIT Sebastián Alba
2026-03-29 13:50 ` Greg KH
2026-03-29 13:53 ` Sebastián Alba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026032939-salt-cod-3bc2@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=sebasjosue84@gmail.com \
--cc=security@kernel.org \
--cc=shuah@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox