Received: by 10.223.176.5 with SMTP id f5csp3430745wra; Mon, 29 Jan 2018 13:04:46 -0800 (PST) X-Google-Smtp-Source: AH8x2248fY0VoWf9kRqHim10jaC8AsfQ+BuSoMc6ZSkQOvRME5q+WnctUzoLJ0uWGrLk3XAzkxZf X-Received: by 2002:a17:902:8545:: with SMTP id d5-v6mr3144726plo.306.1517259886197; Mon, 29 Jan 2018 13:04:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517259886; cv=none; d=google.com; s=arc-20160816; b=wRTzAFa92/MVQYX7hlukVYtBeuK7JyMPUiyNMPM2y93zmlqzSKPTPXVzSn1GOPxwMB U+ditk/4STw1m2AzXO3eEYEwUzwLfW8cf+jLnc7/7R9Arq5MIqz6Nx7D5SDkoBZ340dw avWg7+4dUUN5aIifddhGaWn5KpPdLtBJrQLArXUc5bg6GDB20Pm4tOxfHrsmADDgnCAN EDNkB3tUxfpYkzUA53kLi+YpeZLJHsxE4lUu+cgIpgFb+vIFneMascEsnVjIq0Br5hB/ oz8R1xRG8hhqJL8NTIDrLFgIs9Rrr1swygYYYieuko77Xw/0wWEEaQ7PQsJMXd0R8ZI3 9YxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=aEKxJktI2suGnRS1698+E9U9JP3+UhnJxzPIKBDs0dw=; b=FA7z11TkouZaHInbnNpPofIdSzqQ+vTUUpEP9ES6Dkvnutqy15sJUhCqREp7Zysvxr j8TiDuwTEJZWIHf1RVnhXeBIXeb7vSNWPFJuGWrWgPWMWvrqq3NTiicRqxHSbA73DYeP 7iP3ul/biwarjmJN8K6HSAZapC5hpjF6HSTiVtyyAH/fddaxKhodepHc5Q5rbbDcLce0 /x8RPb2X9wjTAyRJWtbP3hy3dzj2DZ4tjaTxijaL910SmdQHxzBbVb3NiXm3Fnw5qEpZ fp4fqz1M62zherFYdC3MYHdo4Ty2r2Pk6QFUZPbyRUFQqOGl3O8br8YCeUM7QIMNUUNQ IeMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x1si8700136pfk.3.2018.01.29.13.04.31; Mon, 29 Jan 2018 13:04:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752932AbeA2UHk (ORCPT + 99 others); Mon, 29 Jan 2018 15:07:40 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:51002 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752878AbeA2UHe (ORCPT ); Mon, 29 Jan 2018 15:07:34 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E8EAD2F8C; Mon, 29 Jan 2018 13:05:35 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Secunia Research , Shuah Khan Subject: [PATCH 4.9 04/66] usbip: prevent vhci_hcd driver from leaking a socket pointer address Date: Mon, 29 Jan 2018 13:56:28 +0100 Message-Id: <20180129123840.072732457@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123839.842860149@linuxfoundation.org> References: <20180129123839.842860149@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Shuah Khan commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream. When a client has a USB device attached over IP, the vhci_hcd driver is locally leaking a socket pointer address via the /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug output when "usbip --debug port" is run. Fix it to not leak. The socket pointer address is not used at the moment and it was made visible as a convenient way to find IP address from socket pointer address by looking up /proc/net/{tcp,tcp6}. As this opens a security hole, the fix replaces socket pointer address with sockfd. Reported-by: Secunia Research Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman --- drivers/usb/usbip/usbip_common.h | 1 + drivers/usb/usbip/vhci_sysfs.c | 25 +++++++++++++++---------- tools/usb/usbip/libsrc/vhci_driver.c | 8 ++++---- 3 files changed, 20 insertions(+), 14 deletions(-) --- a/drivers/usb/usbip/usbip_common.h +++ b/drivers/usb/usbip/usbip_common.h @@ -271,6 +271,7 @@ struct usbip_device { /* lock for status */ spinlock_t lock; + int sockfd; struct socket *tcp_socket; struct task_struct *tcp_rx; --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c @@ -49,13 +49,17 @@ static ssize_t status_show_vhci(int pdev /* * output example: - * port sta spd dev socket local_busid - * 0000 004 000 00000000 c5a7bb80 1-2.3 - * 0001 004 000 00000000 d8cee980 2-3.4 + * port sta spd dev sockfd local_busid + * 0000 004 000 00000000 000003 1-2.3 + * 0001 004 000 00000000 000004 2-3.4 * - * IP address can be retrieved from a socket pointer address by looking - * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a - * port number and its peer IP address. + * Output includes socket fd instead of socket pointer address to + * avoid leaking kernel memory address in: + * /sys/devices/platform/vhci_hcd.0/status and in debug output. + * The socket pointer address is not used at the moment and it was + * made visible as a convenient way to find IP address from socket + * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens + * a security hole, the change is made to use sockfd instead. */ for (i = 0; i < VHCI_HC_PORTS; i++) { struct vhci_device *vdev = &vhci->vdev[i]; @@ -68,13 +72,13 @@ static ssize_t status_show_vhci(int pdev if (vdev->ud.status == VDEV_ST_USED) { out += sprintf(out, "%03u %08x ", vdev->speed, vdev->devid); - out += sprintf(out, "%16p %s", - vdev->ud.tcp_socket, + out += sprintf(out, "%06u %s", + vdev->ud.sockfd, dev_name(&vdev->udev->dev)); } else { out += sprintf(out, "000 00000000 "); - out += sprintf(out, "0000000000000000 0-0"); + out += sprintf(out, "000000 0-0"); } out += sprintf(out, "\n"); @@ -125,7 +129,7 @@ static ssize_t status_show(struct device int pdev_nr; out += sprintf(out, - "port sta spd dev socket local_busid\n"); + "port sta spd dev sockfd local_busid\n"); pdev_nr = status_name_to_id(attr->attr.name); if (pdev_nr < 0) @@ -324,6 +328,7 @@ static ssize_t store_attach(struct devic vdev->devid = devid; vdev->speed = speed; + vdev->ud.sockfd = sockfd; vdev->ud.tcp_socket = socket; vdev->ud.status = VDEV_ST_NOTASSIGNED; --- a/tools/usb/usbip/libsrc/vhci_driver.c +++ b/tools/usb/usbip/libsrc/vhci_driver.c @@ -55,12 +55,12 @@ static int parse_status(const char *valu while (*c != '\0') { int port, status, speed, devid; - unsigned long socket; + int sockfd; char lbusid[SYSFS_BUS_ID_SIZE]; - ret = sscanf(c, "%d %d %d %x %lx %31s\n", + ret = sscanf(c, "%d %d %d %x %u %31s\n", &port, &status, &speed, - &devid, &socket, lbusid); + &devid, &sockfd, lbusid); if (ret < 5) { dbg("sscanf failed: %d", ret); @@ -69,7 +69,7 @@ static int parse_status(const char *valu dbg("port %d status %d speed %d devid %x", port, status, speed, devid); - dbg("socket %lx lbusid %s", socket, lbusid); + dbg("sockfd %u lbusid %s", sockfd, lbusid); /* if a device is connected, look at it */