linux-stable.git/drivers/staging/usbip, branch linux-3.14.y Linux kernel stable tree USB: usbip: fix potential out-of-bounds write 2016-05-04T21:51:25+00:00 Ignat Korchagin ignat.korchagin@gmail.com 2016-03-17T18:00:29+00:00 c9104ee05af3ecb2943872287da3d576b145c55f commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream. Fix potential out-of-bounds write to urb->transfer_buffer usbip handles network communication directly in the kernel. When receiving a packet from its peer, usbip code parses headers according to protocol. As part of this parsing urb->actual_length is filled. Since the input for urb->actual_length comes from the network, it should be treated as untrusted. Any entity controlling the network may put any value in the input and the preallocated urb->transfer_buffer may not be large enough to hold the data. Thus, the malicious entity is able to write arbitrary data to kernel memory. Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com> Cc: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream.

Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.

Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip/userspace/libsrc/names.c: memory leak 2014-02-07T19:08:46+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2014-01-28T20:16:46+00:00 2a7470d9ffe506ff895f4a27dcf3840cb3ea097f revised patch p is freed if NULL. p is leaked if second calloc fails. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
revised patch

p is freed if NULL.
p is leaked if second calloc fails.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging/usbip: Fix vhci_hcd attach failure error message to be informative 2014-02-07T17:15:35+00:00 Shuah Khan shuah.kh@samsung.com 2014-01-22T16:38:14+00:00 8360fb0d9c21283e6fc12c43ce9ad81d1f9cffef When attach fails due to unsupported and/or invalid bus speed, the message vhci_hcd prints out doesn't include any useful information as to what caused the failure. Change the message to be informative and use usb_speed_string() to get the right speed string from usb common. Signed-off-by: Shuah Khan <shuah.kh@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
When attach fails due to unsupported and/or invalid bus speed, the message
vhci_hcd prints out doesn't include any useful information as to what caused
the failure. Change the message to be informative and use usb_speed_string()
to get the right speed string from usb common.

Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-01-23T05:21:55+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-01-23T05:21:55+00:00 bb1281f2aae08e5ef23eb0692c8833e95579cdf2 Pull trivial tree updates from Jiri Kosina: "Usual rocket science stuff from trivial.git" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (39 commits) neighbour.h: fix comment sched: Fix warning on make htmldocs caused by wait.h slab: struct kmem_cache is protected by slab_mutex doc: Fix typo in USB Gadget Documentation of/Kconfig: Spelling s/one/once/ mkregtable: Fix sscanf handling lp5523, lp8501: comment improvements thermal: rcar: comment spelling treewide: fix comments and printk msgs IXP4xx: remove '1 &&' from a condition check in ixp4xx_restart() Documentation: update /proc/uptime field description Documentation: Fix size parameter for snprintf arm: fix comment header and macro name asm-generic: uaccess: Spelling s/a ny/any/ mtd: onenand: fix comment header doc: driver-model/platform.txt: fix a typo drivers: fix typo in DEVTMPFS_MOUNT Kconfig help text doc: Fix typo (acces_process_vm -> access_process_vm) treewide: Fix typos in printk drivers/gpu/drm/qxl/Kconfig: reformat the help text ... 
Pull trivial tree updates from Jiri Kosina:
 "Usual rocket science stuff from trivial.git"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (39 commits)
  neighbour.h: fix comment
  sched: Fix warning on make htmldocs caused by wait.h
  slab: struct kmem_cache is protected by slab_mutex
  doc: Fix typo in USB Gadget Documentation
  of/Kconfig: Spelling s/one/once/
  mkregtable: Fix sscanf handling
  lp5523, lp8501: comment improvements
  thermal: rcar: comment spelling
  treewide: fix comments and printk msgs
  IXP4xx: remove '1 &&' from a condition check in ixp4xx_restart()
  Documentation: update /proc/uptime field description
  Documentation: Fix size parameter for snprintf
  arm: fix comment header and macro name
  asm-generic: uaccess: Spelling s/a ny/any/
  mtd: onenand: fix comment header
  doc: driver-model/platform.txt: fix a typo
  drivers: fix typo in DEVTMPFS_MOUNT Kconfig help text
  doc: Fix typo (acces_process_vm -> access_process_vm)
  treewide: Fix typos in printk
  drivers/gpu/drm/qxl/Kconfig: reformat the help text
  ...
staging: usbip: userspace: add support for viewing imported devices 2014-01-09T16:44:01+00:00 Valentina Manea valentina.manea.m@gmail.com 2014-01-07T19:05:56+00:00 ec2ff62746325b0d889bc632c9b833aa92cf3eda As of Matt Mooney's major refactoring in 2011, usbip port option was left out. Add support for this option in a manner similar to the old implementation. Sample output: Imported USB devices ==================== Port 00: <Port in Use> at Full Speed(12Mbps) unknown vendor : unknown product (1687:6211) 2-1 -> usbip://192.168.122.152:3240/1-1 -> remote bus/dev 001/002 Signed-off-by: Valentina Manea <valentina.manea.m@gmail.com> Reviewed-by: Ilija Hadzic <ihadzic@research.bell-labs.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
As of Matt Mooney's major refactoring in 2011, usbip port
option was left out. Add support for this option in
a manner similar to the old implementation.

Sample output:

Imported USB devices
====================
Port 00: <Port in Use> at Full Speed(12Mbps)
       unknown vendor : unknown product (1687:6211)
       2-1 -> usbip://192.168.122.152:3240/1-1
           -> remote bus/dev 001/002

Signed-off-by: Valentina Manea <valentina.manea.m@gmail.com>
Reviewed-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'master' into for-next 2013-12-19T14:08:32+00:00 Jiri Kosina jkosina@suse.cz 2013-12-19T14:08:03+00:00 e23c34bb41da65f354fb7eee04300c56ee48f60c Sync with Linus' tree to be able to apply fixes on top of newer things in tree (efi-stub). Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
Sync with Linus' tree to be able to apply fixes on top of newer things
in tree (efi-stub).

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
usbip: Fix sscanf handling 2013-12-18T01:07:13+00:00 Alan gnomes@lxorguk.ukuu.org.uk 2013-12-11T18:32:59+00:00 2d32927127f44d755780aa5fa88c8c34e72558f8 Scan only to the length permitted by the buffer One of a set of sscanf problems noted by Jackie Chang Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Scan only to the length permitted by the buffer

One of a set of sscanf problems noted by Jackie Chang

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: usbip: Remove double initialization of msg_namelen variable 2013-12-16T12:20:39+00:00 Sankha Narayan Guria sankha93@gmail.com 2013-12-16T06:25:43+00:00 b481c2cb3534c85dca625973b33eba15f9af3e4c This removes the double initialization of the msg_namelen variable. Signed-off-by: Sankha Narayan Guria <sankha93@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
This removes the double initialization of the msg_namelen variable.

Signed-off-by: Sankha Narayan Guria <sankha93@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Staging: usbip: vhci_hcd.c: removed a space 2013-12-03T17:15:02+00:00 Aldo Iljazi mail@aldo.io 2013-12-02T13:22:29+00:00 909cc6f9fa70bb8f4b183f62c6d095f2ad53deb8 Line 921: Removed the space before the semicolon. Signed-off-by: Aldo Iljazi <mail@aldo.io> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Line 921: Removed the space before the semicolon.

Signed-off-by: Aldo Iljazi <mail@aldo.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: usbip: Remove superfluous name cast 2013-11-19T23:30:33+00:00 Geert Uytterhoeven geert@linux-m68k.org 2013-11-12T19:07:21+00:00 6fafecb90c9ed2cca8ed450fed693095c0160dc2 platform_device.name is "const char *" Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
platform_device.name is "const char *"

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>