linux-stable.git/drivers/usb/core/devio.c, branch v3.14.44 Linux kernel stable tree USB: usbfs: don't leak kernel data in siginfo 2015-03-18T12:31:28+00:00 Alan Stern stern@rowland.harvard.edu 2015-02-13T15:54:53+00:00 db23dc4e4b18f389edde0ceed5e91d9bfd0aeda7 commit f0c2b68198589249afd2b1f2c4e8de8c03e19c16 upstream. When a signal is delivered, the information in the siginfo structure is copied to userspace. Good security practice dicatates that the unused fields in this structure should be initialized to 0 so that random kernel stack data isn't exposed to the user. This patch adds such an initialization to the two places where usbfs raises signals. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Dave Mielke <dave@mielke.cc> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit f0c2b68198589249afd2b1f2c4e8de8c03e19c16 upstream.

When a signal is delivered, the information in the siginfo structure
is copied to userspace.  Good security practice dicatates that the
unused fields in this structure should be initialized to 0 so that
random kernel stack data isn't exposed to the user.  This patch adds
such an initialization to the two places where usbfs raises signals.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Dave Mielke <dave@mielke.cc>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: devio: fix issue with log flooding 2014-09-05T23:34:12+00:00 Oliver Neukum oneukum@suse.de 2014-08-01T07:55:20+00:00 55d90311ecef6ea616d44bca7efc6b395308351b commit d310d05f1225d1f6f2bf505255fdf593bfbb3051 upstream. usbfs allows user space to pass down an URB which sets URB_SHORT_NOT_OK for output URBs. That causes usbcore to log messages without limit for a nonsensical disallowed combination. The fix is to silently drop the attribute in usbfs. The problem is reported to exist since 3.14 https://www.virtualbox.org/ticket/13085 Signed-off-by: Oliver Neukum <oneukum@suse.de> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit d310d05f1225d1f6f2bf505255fdf593bfbb3051 upstream.

usbfs allows user space to pass down an URB which sets URB_SHORT_NOT_OK
for output URBs. That causes usbcore to log messages without limit
for a nonsensical disallowed combination. The fix is to silently drop
the attribute in usbfs.
The problem is reported to exist since 3.14
https://www.virtualbox.org/ticket/13085

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: core: correct spelling mistakes in comments and warning 2014-01-08T00:17:40+00:00 Rahul Bedarkar rahulbedarkar89@gmail.com 2014-01-04T05:54:41+00:00 025d44309f92bd5e3d1b2c7fab66836ab25b541b Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers: usb: core: devio.c: Spaces to tabs for proc_control_compat() 2013-10-16T20:38:37+00:00 Matthias Beyer mail@beyermatthias.de 2013-10-14T19:46:37+00:00 06793f2d0cf9daabeeb5b024d4bf7082dcc71505 Replaced spaces by tabs for proc_control_compat() function. Signed-off-by: Matthias Beyer <mail@beyermatthias.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Replaced spaces by tabs for proc_control_compat() function.

Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers: usb: core: devio.c: Spaces to tabs for proc_reapurbnonblock() 2013-10-16T20:38:37+00:00 Matthias Beyer mail@beyermatthias.de 2013-10-14T19:46:36+00:00 5b32c385bef17fd3d3b8ce7d5af2ee2aa2225ff5 Replaced spaces by tabs for proc_reapurbnonblock() function. Signed-off-by: Matthias Beyer <mail@beyermatthias.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Replaced spaces by tabs for proc_reapurbnonblock() function.

Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge 3.12-rc3 into usb-next 2013-09-30T01:45:55+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-09-30T01:45:55+00:00 df9b17f5868bdafd46cad18b08f1e70fa22b8854 We want the USB fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We want the USB fixes in here as well.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb/core/devio.c: Don't reject control message to endpoint with wrong direction bit 2013-09-26T00:30:39+00:00 Kurt Garloff kurt@garloff.de 2013-09-24T12:13:48+00:00 831abf76643555a99b80a3b54adfa7e4fa0a3259 Trying to read data from the Pegasus Technologies NoteTaker (0e20:0101) [1] with the Windows App (EasyNote) works natively but fails when Windows is running under KVM (and the USB device handed to KVM). The reason is a USB control message usb 4-2.2: control urb: bRequestType=22 bRequest=09 wValue=0200 wIndex=0001 wLength=0008 This goes to endpoint address 0x01 (wIndex); however, endpoint address 0x01 does not exist. There is an endpoint 0x81 though (same number, but other direction); the app may have meant that endpoint instead. The kernel thus rejects the IO and thus we see the failure. Apparently, Linux is more strict here than Windows ... we can't change the Win app easily, so that's a problem. It seems that the Win app/driver is buggy here and the driver does not behave fully according to the USB HID class spec that it claims to belong to. The device seems to happily deal with that though (and seems to not really care about this value much). So the question is whether the Linux kernel should filter here. Rejecting has the risk that somewhat non-compliant userspace apps/ drivers (most likely in a virtual machine) are prevented from working. Not rejecting has the risk of confusing an overly sensitive device with such a transfer. Given the fact that Windows does not filter it makes this risk rather small though. The patch makes the kernel more tolerant: If the endpoint address in wIndex does not exist, but an endpoint with toggled direction bit does, it will let the transfer through. (It does NOT change the message.) With attached patch, the app in Windows in KVM works. usb 4-2.2: check_ctrlrecip: process 13073 (qemu-kvm) requesting ep 01 but needs 81 I suspect this will mostly affect apps in virtual environments; as on Linux the apps would have been adapted to the stricter handling of the kernel. I have done that for mine[2]. [1] http://www.pegatech.com/ [2] https://sourceforge.net/projects/notetakerpen/ Signed-off-by: Kurt Garloff <kurt@garloff.de> Acked-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Trying to read data from the Pegasus Technologies NoteTaker (0e20:0101)
[1] with the Windows App (EasyNote) works natively but fails when
Windows is running under KVM (and the USB device handed to KVM).

The reason is a USB control message
 usb 4-2.2: control urb: bRequestType=22 bRequest=09 wValue=0200 wIndex=0001 wLength=0008
This goes to endpoint address 0x01 (wIndex); however, endpoint address
0x01 does not exist. There is an endpoint 0x81 though (same number,
but other direction); the app may have meant that endpoint instead.

The kernel thus rejects the IO and thus we see the failure.

Apparently, Linux is more strict here than Windows ... we can't change
the Win app easily, so that's a problem.

It seems that the Win app/driver is buggy here and the driver does not
behave fully according to the USB HID class spec that it claims to
belong to.  The device seems to happily deal with that though (and
seems to not really care about this value much).

So the question is whether the Linux kernel should filter here.
Rejecting has the risk that somewhat non-compliant userspace apps/
drivers (most likely in a virtual machine) are prevented from working.
Not rejecting has the risk of confusing an overly sensitive device with
such a transfer. Given the fact that Windows does not filter it makes
this risk rather small though.

The patch makes the kernel more tolerant: If the endpoint address in
wIndex does not exist, but an endpoint with toggled direction bit does,
it will let the transfer through. (It does NOT change the message.)

With attached patch, the app in Windows in KVM works.
 usb 4-2.2: check_ctrlrecip: process 13073 (qemu-kvm) requesting ep 01 but needs 81

I suspect this will mostly affect apps in virtual environments; as on
Linux the apps would have been adapted to the stricter handling of the
kernel. I have done that for mine[2].

[1] http://www.pegatech.com/
[2] https://sourceforge.net/projects/notetakerpen/

Signed-off-by: Kurt Garloff <kurt@garloff.de>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbcore: fix read of usbdevfs_ctrltransfer fields in proc_control() 2013-09-17T16:49:24+00:00 Xenia Ragiadakou burzalodowa@gmail.com 2013-08-31T15:09:14+00:00 c8f2efc8f636506e0f0c2ba4035382076875f0c1 Urb fields are stored in struct usbdevfs_ctrltransfer in CPU byteorder and not in little endian, so there is no need to be converted. This bug was reported by sparse. Signed-off-by: Xenia Ragiadakou <burzalodowa@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Urb fields are stored in struct usbdevfs_ctrltransfer in CPU byteorder
and not in little endian, so there is no need to be converted.
This bug was reported by sparse.

Signed-off-by: Xenia Ragiadakou <burzalodowa@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbfs: Allow printer class 'get_device_id' without needing to claim the intf 2013-07-25T19:01:12+00:00 Hans de Goede hdegoede@redhat.com 2013-07-12T08:04:18+00:00 5dc50c357d5ce8f78e148d20a38e4e66b12d550f For certain (HP) printers the printer device_id does not only contain a static part identifying the printer, but it also contains a dynamic part giving printer status, ink level, etc. To get to this info various userspace utilities need to be able to make a printer class 'get_device_id' request without first claiming the interface (as that is in use for the actual printer driver). Since the printer class 'get_device_id' request does not change interface settings in anyway, allowing this without claiming the interface should not cause any issues. CC: Sanjay Kumar <sanjay.kumar14@hp.com> CC: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
For certain (HP) printers the printer device_id does not only contain a
static part identifying the printer, but it also contains a dynamic part
giving printer status, ink level, etc.

To get to this info various userspace utilities need to be able to make a
printer class 'get_device_id' request without first claiming the interface
(as that is in use for the actual printer driver).

Since the printer class 'get_device_id' request does not change interface
settings in anyway, allowing this without claiming the interface should not
cause any issues.

CC: Sanjay Kumar <sanjay.kumar14@hp.com>
CC: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge 3.10-rc5 into usb-next 2013-06-09T04:27:51+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-06-09T04:27:51+00:00 141dc40ee343ab532717b235dd645e2d25ae3092 We need the changes in this branch. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We need the changes in this branch.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>