Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754089AbdLHPVW (ORCPT ); Fri, 8 Dec 2017 10:21:22 -0500 Received: from mail.secunia.com ([185.109.133.106]:28421 "EHLO secunia.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753802AbdLHPVU (ORCPT ); Fri, 8 Dec 2017 10:21:20 -0500 From: "Secunia Research" To: "'Shuah Khan'" , , , Cc: , , References: In-Reply-To: Subject: RE: [PATCH 0/4] USB over IP Secuurity fixes Date: Fri, 8 Dec 2017 16:14:33 +0100 Message-ID: <000001d37037$40f64570$c2e2d050$@secunia.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQIZLSq3ZkJCa76zB3dszSLELVxQ56KuDW2w Content-Language: en-us Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1909 Lines: 58 Hi Shuah, Thanks a lot for the quick fixes. Please, use this email address: vuln@secunia.com We have assigned the following CVEs to the issues: CVE-2017-16911 usbip: prevent vhci_hcd driver from leaking a socket pointer address CVE-2017-16912 usbip: fix stub_rx: get_pipe() to validate endpoint number CVE-2017-16913 usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input CVE-2017-16914 usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer Please, let me know if we should proceed with a coordinated disclosure. I'm not quite sure how many distros / downstreams actually use this functionality. Best Regards, Jakub -----Original Message----- From: Shuah Khan [mailto:shuahkh@osg.samsung.com] Sent: Thursday, December 7, 2017 10:17 PM To: shuah@kernel.org; valentina.manea.m@gmail.com; gregkh@linuxfoundation.org Cc: Shuah Khan ; linux-usb@vger.kernel.org; linux-kernel@vger.kernel.org; vuln@secunia.com Subject: [PATCH 0/4] USB over IP Secuurity fixes Jakub Jirasek from Secunia Research at Flexera reported security vulnerabilities in the USB over IP driver. This patch series all the 4 reported problems. Jakub, could you please suggest an email address I can use for the Reported-by tag? Shuah Khan (4): usbip: fix stub_rx: get_pipe() to validate endpoint number usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input usbip: prevent vhci_hcd driver from leaking a socket pointer address usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer drivers/usb/usbip/stub_rx.c | 51 +++++++++++++++++++++++++++++------- drivers/usb/usbip/stub_tx.c | 7 +++++ drivers/usb/usbip/usbip_common.h | 1 + drivers/usb/usbip/vhci_sysfs.c | 25 +++++++++++------- tools/usb/usbip/libsrc/vhci_driver.c | 8 +++--- 5 files changed, 69 insertions(+), 23 deletions(-) -- 2.14.1