Received: by 10.223.176.5 with SMTP id f5csp3409874wra;
        Mon, 29 Jan 2018 12:46:38 -0800 (PST)
X-Google-Smtp-Source: AH8x226u9f7wlqkC/LMRENRDxbDejLzXMluiTnk6E1VKZyl2AkFAj1zowfRzHtTDajQFJDan/Br5
X-Received: by 2002:a17:902:6bca:: with SMTP id m10-v6mr22550920plt.351.1517258798740;
        Mon, 29 Jan 2018 12:46:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517258798; cv=none;
        d=google.com; s=arc-20160816;
        b=VsfFa27kqvb79/cPoFuNrPo0Bslz3Y4wdfW2X3Ja8u4cdbC5Sx1hTblJjPelyHehDd
         acDgTEZbKQ7lM1Tsp57DOv6GKrZvr7bAWM42hi/0MbomLB+8aCJgkIB8D0XrtzxWRD2s
         dXNoZYPu19dXwdALRSyNArB2EPwKPdnGqUVC097KS0T8Lg/r/eivGPNDoi+ff9EtZQ3s
         SvJewD4pF217otpCnkeFyLhONPF6ePjO2ntXXBP/Np2gMR9jCeB1iFJvHiqqOXNoKrc7
         z7C6fqtlIsxYcX/9x7xF9sdv+aRK95686eEhAAP/NjpyGAiM45k5p9b0uUnJ/5PQyyIV
         ds5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=T+TRLzMfFysneRWZvcWCEXz78SxcUQ4O0dg3AzMH1t4=;
        b=sTzQ6VvnzCSF/1kp+6y8kMoqAJaJzQ3c9bRWwbL+o3X/ooKiN/IKyaFZ9mqlmv9i9I
         YGsoaWJgFmR7dx1MWLz6/ty8PUJ/JPVRULR7dOlUGwqtHi26V/h4lIv/9nTbiz8P4QOj
         J+u9UmDeQb5bX2Eb0rHwBieFDKDmqg/Y8+st5g8caO6TptICOk9ZrE0qRcZK0jKzXPUv
         I8A0gPmLNl62NBPlsQm/mq6ppywkwgG1bevNdHu+/0pRVtGTpZKi6nvgm3osSbx3GZNo
         10QHRp+QSnlXvMQVtVHDd/WNm1tEslffof8hYaCPwvnUVtmmi/7bf2YDVjZk+D4mVqbf
         A8Aw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k29si531919pfj.228.2018.01.29.12.46.24;
        Mon, 29 Jan 2018 12:46:38 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753961AbeA2Upp (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Mon, 29 Jan 2018 15:45:45 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:34042 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753887AbeA2UMG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Jan 2018 15:12:06 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 52A302EDF;
        Mon, 29 Jan 2018 13:00:51 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Secunia Research <vuln@secunia.com>,
        Shuah Khan <shuahkh@osg.samsung.com>
Subject: [PATCH 4.4 02/74] usbip: prevent vhci_hcd driver from leaking a socket pointer address
Date:   Mon, 29 Jan 2018 13:56:07 +0100
Message-Id: <20180129123847.617716392@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180129123847.507563674@linuxfoundation.org>
References: <20180129123847.507563674@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shuah Khan <shuahkh@osg.samsung.com>

commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream.

When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the

/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.

Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.

As this opens a security hole, the fix replaces socket pointer address with
sockfd.

Reported-by: Secunia Research <vuln@secunia.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 drivers/usb/usbip/usbip_common.h     |    1 +
 drivers/usb/usbip/vhci_sysfs.c       |   25 +++++++++++++++----------
 tools/usb/usbip/libsrc/vhci_driver.c |    8 ++++----
 3 files changed, 20 insertions(+), 14 deletions(-)

--- a/drivers/usb/usbip/usbip_common.h
+++ b/drivers/usb/usbip/usbip_common.h
@@ -261,6 +261,7 @@ struct usbip_device {
 	/* lock for status */
 	spinlock_t lock;
 
+	int sockfd;
 	struct socket *tcp_socket;
 
 	struct task_struct *tcp_rx;
--- a/drivers/usb/usbip/vhci_sysfs.c
+++ b/drivers/usb/usbip/vhci_sysfs.c
@@ -39,16 +39,20 @@ static ssize_t status_show(struct device
 
 	/*
 	 * output example:
-	 * prt sta spd dev socket           local_busid
-	 * 000 004 000 000         c5a7bb80 1-2.3
-	 * 001 004 000 000         d8cee980 2-3.4
+	 * port sta spd dev      sockfd local_busid
+	 * 0000 004 000 00000000 000003 1-2.3
+	 * 0001 004 000 00000000 000004 2-3.4
 	 *
-	 * IP address can be retrieved from a socket pointer address by looking
-	 * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a
-	 * port number and its peer IP address.
+	 * Output includes socket fd instead of socket pointer address to
+	 * avoid leaking kernel memory address in:
+	 *	/sys/devices/platform/vhci_hcd.0/status and in debug output.
+	 * The socket pointer address is not used at the moment and it was
+	 * made visible as a convenient way to find IP address from socket
+	 * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens
+	 * a security hole, the change is made to use sockfd instead.
 	 */
 	out += sprintf(out,
-		       "prt sta spd bus dev socket           local_busid\n");
+		       "prt sta spd bus dev sockfd local_busid\n");
 
 	for (i = 0; i < VHCI_NPORTS; i++) {
 		struct vhci_device *vdev = port_to_vdev(i);
@@ -60,11 +64,11 @@ static ssize_t status_show(struct device
 			out += sprintf(out, "%03u %08x ",
 				       vdev->speed, vdev->devid);
 			out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
+			out += sprintf(out, "%06u", vdev->ud.sockfd);
 			out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
 
-		} else {
-			out += sprintf(out, "000 000 000 0000000000000000 0-0");
-		}
+		} else
+			out += sprintf(out, "000 000 000 000000 0-0");
 
 		out += sprintf(out, "\n");
 		spin_unlock(&vdev->ud.lock);
@@ -223,6 +227,7 @@ static ssize_t store_attach(struct devic
 
 	vdev->devid         = devid;
 	vdev->speed         = speed;
+	vdev->ud.sockfd     = sockfd;
 	vdev->ud.tcp_socket = socket;
 	vdev->ud.status     = VDEV_ST_NOTASSIGNED;
 
--- a/tools/usb/usbip/libsrc/vhci_driver.c
+++ b/tools/usb/usbip/libsrc/vhci_driver.c
@@ -55,12 +55,12 @@ static int parse_status(const char *valu
 
 	while (*c != '\0') {
 		int port, status, speed, devid;
-		unsigned long socket;
+		int sockfd;
 		char lbusid[SYSFS_BUS_ID_SIZE];
 
-		ret = sscanf(c, "%d %d %d %x %lx %31s\n",
+		ret = sscanf(c, "%d %d %d %x %u %31s\n",
 				&port, &status, &speed,
-				&devid, &socket, lbusid);
+				&devid, &sockfd, lbusid);
 
 		if (ret < 5) {
 			dbg("sscanf failed: %d", ret);
@@ -69,7 +69,7 @@ static int parse_status(const char *valu
 
 		dbg("port %d status %d speed %d devid %x",
 				port, status, speed, devid);
-		dbg("socket %lx lbusid %s", socket, lbusid);
+		dbg("sockfd %u lbusid %s", sockfd, lbusid);
 
 
 		/* if a device is connected, look at it */