From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5AE631F98C for ; Sun, 29 Mar 2026 13:25:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774790756; cv=none; b=hzZw79SV36ztstfHHFUlzjEpxVi0Jw9F3grHDuEIp4921beitUgtWwesylP598UWiRjdNJAHqeGAdBDdU+b3b/V1e2h9536dE1OFs0VysS4gBZPcVcu3+uJhCR9sNpThDLx9XWtdfzInfY0oO7+E46K9wsiGhIaqssqQNkZnJVY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774790756; c=relaxed/simple; bh=nfmIB7Ydsg7mpbMLsnx0oFBNOSOZlyf/0UHJQhidLeY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=gZcfGrTqvu2s3K0qg7DGjRgSr/JNZZu6BihF00HpCP2xt1mTCWqiNLgzMztY3FsCKSKUpLnBywVovl2dnI2qhLK3/gkMP6mkgYDlgMH1mF3srMB/FjQgGZF3Oa2x0LnI/fj444HPTH87ICtoyJkeSz2yBZXjiHdkBYj5wwZT0kI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=W1zpxXKP; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="W1zpxXKP" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 29317C116C6; Sun, 29 Mar 2026 13:25:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1774790756; bh=nfmIB7Ydsg7mpbMLsnx0oFBNOSOZlyf/0UHJQhidLeY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=W1zpxXKP80QmsZw4UYTZKAoso8LDuvD5TNSTGSzbkDch7ENDZdjFG5UQP0ya23pTr /xJzr9Aee4+crK5JFzcrEGZDKkVSTv4O8wCb4+Nl7+Z0gBzP3BLLp5mL+IrhM1bt9l NpSjagORG+1DdvUdwM0tg+zejvnbauJlHKVlQ2bE= Date: Sun, 29 Mar 2026 15:24:03 +0200 From: Greg KH To: Sebastian Josue Alba Vives Cc: security@kernel.org, shuah@kernel.org, stable@vger.kernel.org Subject: Re: [SECURITY] usbip: vhci: heap buffer overflow via crafted number_of_packets in RET_SUBMIT Message-ID: <2026032939-salt-cod-3bc2@gregkh> References: <20260329125437.517980-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260329125437.517980-1-sebasjosue84@gmail.com> On Sun, Mar 29, 2026 at 06:53:32AM -0600, Sebastian Josue Alba Vives wrote: > A malicious USB/IP server can send a RET_SUBMIT response with > number_of_packets larger than the original URB allocation, causing > usbip_recv_iso() and usbip_pad_iso() to write beyond > urb->iso_frame_desc[], overflowing the kernel heap. Ok, this is just getting funny now... What is the AI prompt that you all are using to "find" these usbip "security bugs"? This is like the 3rd or 4th "report" of this in the past week or so. Anyway, as always, the usbip connection is considered "trusted", never connect to a usbip device you do not trust (on either side), and patches for this where invalid packets are sent are always appreciated. Note, patches for this have been sent on the linux-usb mailing list in the past few days, so you might want to have checked there first to be sure you didn't create the same thing that others have already submitted. thanks, greg k-h