<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/usb/usbip, branch v4.15</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer</title>
<updated>2018-01-04T16:07:27+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-23T02:23:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5fd77a3a0e408c23ab4002a57db980e46bc16e72'/>
<id>5fd77a3a0e408c23ab4002a57db980e46bc16e72</id>
<content type='text'>
v_send_ret_submit() handles urb with a null transfer_buffer, when it
replays a packet with potential malicious data that could contain a
null buffer.

Add a check for the condition when actual_length &gt; 0 and transfer_buffer
is null.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
v_send_ret_submit() handles urb with a null transfer_buffer, when it
replays a packet with potential malicious data that could contain a
null buffer.

Add a check for the condition when actual_length &gt; 0 and transfer_buffer
is null.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: remove kernel addresses from usb device and urb debug msgs</title>
<updated>2018-01-04T16:07:26+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-23T00:00:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e1346fd87c71a1f61de1fe476ec8df1425ac931c'/>
<id>e1346fd87c71a1f61de1fe476ec8df1425ac931c</id>
<content type='text'>
usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses.
Remove kernel addresses from usb device and urb debug msgs and improve
the message content.

Instead of printing parent device and bus addresses, print parent device
and bus names.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses.
Remove kernel addresses from usb device and urb debug msgs and improve
the message content.

Instead of printing parent device and bus addresses, print parent device
and bus names.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input</title>
<updated>2018-01-04T16:07:26+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-23T02:23:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25'/>
<id>b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25</id>
<content type='text'>
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: stub_rx: fix static checker warning on unnecessary checks</title>
<updated>2017-12-19T10:40:55+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-15T17:05:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=10c90120930628e8b959bf58d4a0aaef3ae5d945'/>
<id>10c90120930628e8b959bf58d4a0aaef3ae5d945</id>
<content type='text'>
Fix the following static checker warnings:

The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
to handle malicious input" from Dec 7, 2017, leads to the following
static checker warning:

    drivers/usb/usbip/stub_rx.c:346 get_pipe()
    warn: impossible condition
'(pdu-&gt;u.cmd_submit.transfer_buffer_length &gt; ((~0 &gt;&gt; 1))) =&gt;
(s32min-s32max &gt; s32max)'
    drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
    warn: always true condition
'(pdu-&gt;u.cmd_submit.transfer_buffer_length &lt;= ((~0 &gt;&gt; 1))) =&gt;
(s32min-s32max &lt;= s32max)'

Reported-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix the following static checker warnings:

The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
to handle malicious input" from Dec 7, 2017, leads to the following
static checker warning:

    drivers/usb/usbip/stub_rx.c:346 get_pipe()
    warn: impossible condition
'(pdu-&gt;u.cmd_submit.transfer_buffer_length &gt; ((~0 &gt;&gt; 1))) =&gt;
(s32min-s32max &gt; s32max)'
    drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
    warn: always true condition
'(pdu-&gt;u.cmd_submit.transfer_buffer_length &lt;= ((~0 &gt;&gt; 1))) =&gt;
(s32min-s32max &lt;= s32max)'

Reported-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: prevent leaking socket pointer address in messages</title>
<updated>2017-12-19T10:40:54+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-15T17:50:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=90120d15f4c397272aaf41077960a157fc4212bf'/>
<id>90120d15f4c397272aaf41077960a157fc4212bf</id>
<content type='text'>
usbip driver is leaking socket pointer address in messages. Remove
the messages that aren't useful and print sockfd in the ones that
are useful for debugging.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
usbip driver is leaking socket pointer address in messages. Remove
the messages that aren't useful and print sockfd in the ones that
are useful for debugging.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: stub: stop printing kernel pointer addresses in messages</title>
<updated>2017-12-19T10:40:54+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-19T00:23:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=248a22044366f588d46754c54dfe29ffe4f8b4df'/>
<id>248a22044366f588d46754c54dfe29ffe4f8b4df</id>
<content type='text'>
Remove and/or change debug, info. and error messages to not print
kernel pointer addresses.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove and/or change debug, info. and error messages to not print
kernel pointer addresses.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: vhci: stop printing kernel pointer addresses in messages</title>
<updated>2017-12-19T10:40:54+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-19T00:24:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8272d099d05f7ab2776cf56a2ab9f9443be18907'/>
<id>8272d099d05f7ab2776cf56a2ab9f9443be18907</id>
<content type='text'>
Remove and/or change debug, info. and error messages to not print
kernel pointer addresses.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove and/or change debug, info. and error messages to not print
kernel pointer addresses.

Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer</title>
<updated>2017-12-08T16:32:23+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-07T21:16:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=be6123df1ea8f01ee2f896a16c2b7be3e4557a5a'/>
<id>be6123df1ea8f01ee2f896a16c2b7be3e4557a5a</id>
<content type='text'>
stub_send_ret_submit() handles urb with a potential null transfer_buffer,
when it replays a packet with potential malicious data that could contain
a null buffer. Add a check for the condition when actual_length &gt; 0 and
transfer_buffer is null.

Reported-by: Secunia Research &lt;vuln@secunia.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
stub_send_ret_submit() handles urb with a potential null transfer_buffer,
when it replays a packet with potential malicious data that could contain
a null buffer. Add a check for the condition when actual_length &gt; 0 and
transfer_buffer is null.

Reported-by: Secunia Research &lt;vuln@secunia.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: prevent vhci_hcd driver from leaking a socket pointer address</title>
<updated>2017-12-08T16:32:23+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-07T21:16:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2f2d0088eb93db5c649d2a5e34a3800a8a935fc5'/>
<id>2f2d0088eb93db5c649d2a5e34a3800a8a935fc5</id>
<content type='text'>
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the

/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.

Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.

As this opens a security hole, the fix replaces socket pointer address with
sockfd.

Reported-by: Secunia Research &lt;vuln@secunia.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the

/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.

Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.

As this opens a security hole, the fix replaces socket pointer address with
sockfd.

Reported-by: Secunia Research &lt;vuln@secunia.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input</title>
<updated>2017-12-08T16:32:23+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2017-12-07T21:16:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c6688ef9f29762e65bce325ef4acd6c675806366'/>
<id>c6688ef9f29762e65bce325ef4acd6c675806366</id>
<content type='text'>
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations. Validate early in get_pipe() and return
failure.

Reported-by: Secunia Research &lt;vuln@secunia.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations. Validate early in get_pipe() and return
failure.

Reported-by: Secunia Research &lt;vuln@secunia.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
