Received: by 10.223.176.5 with SMTP id f5csp407423wra;
        Sat, 3 Feb 2018 02:04:40 -0800 (PST)
X-Google-Smtp-Source: AH8x225Ch0628aCPJMi2uSjKRucx8h04YUpRmyNtoIXP6T9SDB0GimUKPTfyUMxrNHMZBdboJFpj
X-Received: by 10.98.150.20 with SMTP id c20mr42723357pfe.200.1517652280078;
        Sat, 03 Feb 2018 02:04:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517652280; cv=none;
        d=google.com; s=arc-20160816;
        b=V96MyS4BS0aOc5HCZ+a4eiOcJYKzMlN/HG/7NZYe6aZUs1So6L0LfMeq2PWd2YRn1O
         vY5stTiJ/xBEzh9B6+/SWWsDayOBbkjDEmMn3+i4lpKNCOisXmgDcHO8D5YJa+HC0enj
         lWRk1iiG3vfvRoW3j/BPnyetMT7/kPrcuy7YvlNShRjDmKlEPWPxjy3W4hwarMLOj4YQ
         5o4ZOm9CnNb6IEadXIC8UFJXGRXLaf2vrebM1e6YhKo30ZzuFy8+LJrvo9khv6R2Ng1K
         NkQ1pN5pOm9C0YqY/hySOWi+mEn/MKuYsjyvYucFUzH62pz5oVYNrvt/z9bGHMqQyZ2T
         HdCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=1syQpqDBkF/Bh02HsGHapZqlWMfNqzTNFZMm1bEyYVw=;
        b=N2nqwq8TULOUkHOHqEg4kqNEwrqhkNBKbogb0xfb0PtFNklm12WNvcsaMAGU6Jy4IA
         KVs6X4sqUjU0+qxdHcLhmIlyI0i/g1GblTnJ47hDIJDoVYEuGX1J64NKcWrm3chjy3jb
         FAAE/DyQccswGkT/FueSJF0ssDza2Gn3e0Rl42RQ6ZFtPMUenzrPVKH1fL8+fO589OhC
         vNIDdSJrrrBAC9herv2LfjLGxYT4BKbdzSEA55cxhILV48yl06NgF3p3ZCBrhhTfDvBQ
         VbOIrQEGHhWF3rqIeTRED6rvoIA8s6MUn2ogBiUtnThRXnvpyeR87ym1yTCkCmLL+ttl
         ryAg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=nnP+JT3Y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a17si992006pgv.479.2018.02.03.02.03.40;
        Sat, 03 Feb 2018 02:04:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=nnP+JT3Y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751757AbeBCIaz (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Sat, 3 Feb 2018 03:30:55 -0500
Received: from mail-pl0-f65.google.com ([209.85.160.65]:38087 "EHLO
        mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750725AbeBCIas (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 3 Feb 2018 03:30:48 -0500
Received: by mail-pl0-f65.google.com with SMTP id 13so8017318plb.5;
        Sat, 03 Feb 2018 00:30:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=1syQpqDBkF/Bh02HsGHapZqlWMfNqzTNFZMm1bEyYVw=;
        b=nnP+JT3Y7eGCYo9hwgMhfKLLJdIu1LnfNzdBSgmpBBA8ZnMyHglaJY6b0FmCilRUj5
         I0PSlHD/G1HVQ8ybhWIIf6UozEZ8SOTDdbkmN+I2dE/FBHoT18Hi7MbEUFv4YQYbSlTo
         CL5ZURBKpliLgWL0sj4qMWYo+2/oK1HIWjGnuGUiRU0uGPX19VfbRl8EpITyBhxYFP/A
         Ro+EHxjK13Aszj3kscammer5VVUGKFoCpb2OUQffiVLC7T65uKkcWcBEpIfUUO+qKU0X
         0niH5fUEr1aW8BtJHzXx2PzvgGDzN8TSZOBqs0AiJMnHZNSMxjmEbE6UppBkUvJUajJK
         K0xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=1syQpqDBkF/Bh02HsGHapZqlWMfNqzTNFZMm1bEyYVw=;
        b=YUgNgoWa+PAlpy6KTwZ66gaoz6OfLDHH0KUZGJErUzNSmDrySzV87LwQJrHeSo72Ti
         E7b3RBYmFypSd8+sZIbGXhh0dHfB3dUlEMZdPPINlfzHZgCZTNQEWU2I/TSlA6ULcSvR
         nUOK+k6il1IIzEiiCH2oNx8hAhlHUNJ3eENhlkClR6Jbhbtt8F13wDWJXnfMuzPxzcTY
         /ArZ8+7mvvNVq4ErpbE6XNPreC+VBL/R9P4uTZ6CM/rt/HXq3Th1tjaJzicSlqVh3wCh
         6+E8CpmWO47NnBaHyG1YxKxo2RQglX73XOi8X9kIz43zY3sH5pfno+MWBlnmDVmwh8qu
         vpcQ==
X-Gm-Message-State: AKwxytcLii7g/CXXtequNWyBUMPsSquo8cG0q8GZHGT1cQDkVI3QXwTR
        ZPZe+QQxDo1KOgFv+gHgEFYgCXZO6/0=
X-Received: by 2002:a17:902:e65:: with SMTP id 92-v6mr35215913plw.148.1517646647208;
        Sat, 03 Feb 2018 00:30:47 -0800 (PST)
Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198])
        by smtp.gmail.com with ESMTPSA id t8sm5125245pgn.93.2018.02.03.00.30.46
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sat, 03 Feb 2018 00:30:46 -0800 (PST)
Date:   Sat, 3 Feb 2018 00:30:44 -0800
From:   Eric Biggers <ebiggers3@gmail.com>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        Secunia Research <vuln@secunia.com>,
        Shuah Khan <shuahkh@osg.samsung.com>
Subject: Re: [PATCH 4.4 02/74] usbip: prevent vhci_hcd driver from leaking a
 socket pointer address
Message-ID: <20180203083044.GA6126@zzz.localdomain>
References: <20180129123847.507563674@linuxfoundation.org>
 <20180129123847.617716392@linuxfoundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180129123847.617716392@linuxfoundation.org>
User-Agent: Mutt/1.9.3 (2018-01-21)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jan 29, 2018 at 01:56:07PM +0100, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Shuah Khan <shuahkh@osg.samsung.com>
> 
> commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream.
> 
> When a client has a USB device attached over IP, the vhci_hcd driver is
> locally leaking a socket pointer address via the
> 
> /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
> output when "usbip --debug port" is run.
> 
> Fix it to not leak. The socket pointer address is not used at the moment
> and it was made visible as a convenient way to find IP address from socket
> pointer address by looking up /proc/net/{tcp,tcp6}.
> 
> As this opens a security hole, the fix replaces socket pointer address with
> sockfd.
> 
> Reported-by: Secunia Research <vuln@secunia.com>
> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> 
> ---
>  drivers/usb/usbip/usbip_common.h     |    1 +
>  drivers/usb/usbip/vhci_sysfs.c       |   25 +++++++++++++++----------
>  tools/usb/usbip/libsrc/vhci_driver.c |    8 ++++----
>  3 files changed, 20 insertions(+), 14 deletions(-)
> 
> --- a/drivers/usb/usbip/usbip_common.h
> +++ b/drivers/usb/usbip/usbip_common.h
> @@ -261,6 +261,7 @@ struct usbip_device {
>  	/* lock for status */
>  	spinlock_t lock;
>  
> +	int sockfd;
>  	struct socket *tcp_socket;
>  
>  	struct task_struct *tcp_rx;
> --- a/drivers/usb/usbip/vhci_sysfs.c
> +++ b/drivers/usb/usbip/vhci_sysfs.c
> @@ -39,16 +39,20 @@ static ssize_t status_show(struct device
>  
>  	/*
>  	 * output example:
> -	 * prt sta spd dev socket           local_busid
> -	 * 000 004 000 000         c5a7bb80 1-2.3
> -	 * 001 004 000 000         d8cee980 2-3.4
> +	 * port sta spd dev      sockfd local_busid
> +	 * 0000 004 000 00000000 000003 1-2.3
> +	 * 0001 004 000 00000000 000004 2-3.4
>  	 *
> -	 * IP address can be retrieved from a socket pointer address by looking
> -	 * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a
> -	 * port number and its peer IP address.
> +	 * Output includes socket fd instead of socket pointer address to
> +	 * avoid leaking kernel memory address in:
> +	 *	/sys/devices/platform/vhci_hcd.0/status and in debug output.
> +	 * The socket pointer address is not used at the moment and it was
> +	 * made visible as a convenient way to find IP address from socket
> +	 * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens
> +	 * a security hole, the change is made to use sockfd instead.
>  	 */
>  	out += sprintf(out,
> -		       "prt sta spd bus dev socket           local_busid\n");
> +		       "prt sta spd bus dev sockfd local_busid\n");
>  
>  	for (i = 0; i < VHCI_NPORTS; i++) {
>  		struct vhci_device *vdev = port_to_vdev(i);
> @@ -60,11 +64,11 @@ static ssize_t status_show(struct device
>  			out += sprintf(out, "%03u %08x ",
>  				       vdev->speed, vdev->devid);
>  			out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
> +			out += sprintf(out, "%06u", vdev->ud.sockfd);
>  			out += sprintf(out, "%s", dev_name(&vdev->udev->dev));

This backport is wrong; it's still printing the pointer...

Eric