From: Greg KH <gregkh@linuxfoundation.org>
To: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
Cc: security@kernel.org, shuah@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] usbip: vhci: validate number_of_packets in RET_SUBMIT response
Date: Sun, 29 Mar 2026 15:25:23 +0200 [thread overview]
Message-ID: <2026032940-corny-cursive-c360@gregkh> (raw)
In-Reply-To: <20260329125437.517980-2-sebasjosue84@gmail.com>
On Sun, Mar 29, 2026 at 06:53:33AM -0600, Sebastian Josue Alba Vives wrote:
> From: Sebastián Alba Vives <sebasjosue84@gmail.com>
>
> vhci_recv_ret_submit() calls usbip_pack_pdu() which overwrites
> urb->number_of_packets with the value from the network PDU reply
> without any validation. A malicious USB/IP server can set
> number_of_packets to a value larger than the original URB allocation,
> causing usbip_recv_iso() and usbip_pad_iso() to access
> urb->iso_frame_desc[] entries beyond the allocated array.
>
> This leads to a heap buffer overflow in kernel memory, reachable over
> the network without authentication.
>
> The attack chain is:
> 1. Client sends isochronous URB with number_of_packets = N
> 2. Server replies with number_of_packets = N' >> N
> 3. usbip_pack_pdu() blindly copies N' into urb->number_of_packets
> 4. usbip_recv_iso() loops N' times over iso_frame_desc[N] → OOB
> 5. usbip_pad_iso() also loops N' times → second OOB
>
> Save the original number_of_packets before usbip_pack_pdu() and
> validate the returned value does not exceed it. Also add a defensive
> bounds check in usbip_recv_iso() against USBIP_MAX_ISO_PACKETS and
> use array_size() to prevent integer overflow in the allocation.
>
> Note that stub_rx.c already validates number_of_packets against
> USBIP_MAX_ISO_PACKETS for CMD_SUBMIT on the server side, but no
> equivalent validation existed on the client side for RET_SUBMIT.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
> ---
> drivers/usb/usbip/usbip_common.c | 18 ++++++++++++++----
> drivers/usb/usbip/vhci_rx.c | 27 +++++++++++++++++++++++++++
> 2 files changed, 41 insertions(+), 4 deletions(-)
Please see this series:
https://lore.kernel.org/r/20260325104841.8282-1-addcontent08@gmail.com
and this follow-on:
https://lore.kernel.org/r/20260327064449.735-1-nathan.c.rebello@gmail.com
and if both of your patches are still relevant after applying them,
great, send them on as a follow-on patch please.
thanks,
greg k-h
next prev parent reply other threads:[~2026-03-29 13:26 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 12:53 [SECURITY] usbip: vhci: heap buffer overflow via crafted number_of_packets in RET_SUBMIT Sebastian Josue Alba Vives
2026-03-29 12:53 ` [PATCH] usbip: vhci: validate number_of_packets in RET_SUBMIT response Sebastian Josue Alba Vives
2026-03-29 13:25 ` Greg KH [this message]
2026-03-29 13:17 ` [SECURITY] usbip: iso_frame_desc OOB memmove via crafted offset/length Sebastian Josue Alba Vives
2026-03-29 13:17 ` [PATCH] usbip: validate iso_frame_desc offset and length in usbip_recv_iso() Sebastian Josue Alba Vives
2026-03-29 13:24 ` [SECURITY] usbip: vhci: heap buffer overflow via crafted number_of_packets in RET_SUBMIT Greg KH
2026-03-29 13:34 ` Sebastián Alba
2026-03-29 13:50 ` Greg KH
2026-03-29 13:53 ` Sebastián Alba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026032940-corny-cursive-c360@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=sebasjosue84@gmail.com \
--cc=security@kernel.org \
--cc=shuah@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox