Received: by 10.223.176.5 with SMTP id f5csp2607832wra;
        Mon, 5 Feb 2018 06:59:42 -0800 (PST)
X-Google-Smtp-Source: AH8x224Vpd//nn9pFkfrkXSZDnqZd/PmiovI1hiHjqNRirXHfVJjG+7AD5M0HAx3w/0b303GA1z4
X-Received: by 10.98.216.134 with SMTP id e128mr7907617pfg.36.1517842782281;
        Mon, 05 Feb 2018 06:59:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517842782; cv=none;
        d=google.com; s=arc-20160816;
        b=oYoADdufI8h2hov+mQptDhPgKRhPOLMiDOR+TY7OPtKFIcKRX7fOIQMCTBj+d6mefQ
         wl+YDI+AlPaU3xzL2pggK1H2ZFVcshBozpGOpJnAGgJdA38ngN0iRp71U/WZXdOhhB3W
         780WD8S8WnkKlOgHnt+/+6YA4VlFYc3f1OYtZepkJ7LmJKIXFBS01mgpkBkPEqmXewi6
         uLVcIrIcGoaksUbrPy4xps3rxp9ABTIojK39txTbZ/SYEH2qmJG/OWXD5RsVi/hjVDFo
         QdHhnFUq26PY2c+ApRG8q7keT9VbMauJ+2RPgSIe9X4NG6dwpvT2mDEoAo5MEXnM3VT9
         3ywg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=ONNXGwInwYo3RN2cpNC7eK3iF9MA1/4ylskinGAKm30=;
        b=anznFJFePk7cACtyOMHWIwL5goMjJCPXffwXgqC47MDmqyafB0qX+fimjVe1E+r3YO
         lHkSDmt0p5vsxLsDfPO78Ojp0LbrEJyY5Mat6yYH0ntGJ7sIm933wkUcY4MZ8HOck2r8
         BbeFt2ekwAW1UsQjhHpHAp0LdLUV/VQQVw8cNTqlEl2VyBhM2/S+W2kg0lvZZu+cogB0
         cPm1yx0SzWZLRcA4LIC4VBE14ILEQd6iTrHqtdgwpfQ1Z7Ov4vmDj6kjg4NgBKBS/6Wk
         pRO4Cpco96LtKIn0x/38zo2923RLWyJl+pB6HGPKr1pTB7iNRHWZKycpp2vQmBl67IrL
         ZOUg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u87si6500965pfj.41.2018.02.05.06.59.25;
        Mon, 05 Feb 2018 06:59:42 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753157AbeBEO6j (ORCPT <rfc822;chrisloverchio@gmail.com>
        + 99 others); Mon, 5 Feb 2018 09:58:39 -0500
Received: from osg.samsung.com ([64.30.133.232]:61300 "EHLO osg.samsung.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752843AbeBEO6e (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 5 Feb 2018 09:58:34 -0500
Received: from localhost (localhost [127.0.0.1])
        by osg.samsung.com (Postfix) with ESMTP id 3E619328EE;
        Mon,  5 Feb 2018 06:58:33 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at dev.s-opensource.com
Received: from osg.samsung.com ([127.0.0.1])
        by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id PdWpmFfNxYYO; Mon,  5 Feb 2018 06:58:26 -0800 (PST)
Received: from [192.168.1.87] (c-24-9-64-241.hsd1.co.comcast.net [24.9.64.241])
        by osg.samsung.com (Postfix) with ESMTPSA id DB2CB328E1;
        Mon,  5 Feb 2018 06:58:25 -0800 (PST)
Subject: Re: [PATCH 4.4 02/74] usbip: prevent vhci_hcd driver from leaking a
 socket pointer address
To:     Eric Biggers <ebiggers3@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        Secunia Research <vuln@secunia.com>,
        Shuah Khan <shuahkh@osg.samsung.com>,
        Shuah Khan <shuah@kernel.org>
References: <20180129123847.507563674@linuxfoundation.org>
 <20180129123847.617716392@linuxfoundation.org>
 <20180203083044.GA6126@zzz.localdomain>
From:   Shuah Khan <shuahkh@osg.samsung.com>
Message-ID: <6e15f208-a10e-96e2-55f8-36ab86d415b9@osg.samsung.com>
Date:   Mon, 5 Feb 2018 07:58:17 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180203083044.GA6126@zzz.localdomain>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 02/03/2018 01:30 AM, Eric Biggers wrote:
> On Mon, Jan 29, 2018 at 01:56:07PM +0100, Greg Kroah-Hartman wrote:
>> 4.4-stable review patch.  If anyone has any objections, please let me know.
>>
>> ------------------
>>
>> From: Shuah Khan <shuahkh@osg.samsung.com>
>>
>> commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream.
>>
>> When a client has a USB device attached over IP, the vhci_hcd driver is
>> locally leaking a socket pointer address via the
>>
>> /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
>> output when "usbip --debug port" is run.
>>
>> Fix it to not leak. The socket pointer address is not used at the moment
>> and it was made visible as a convenient way to find IP address from socket
>> pointer address by looking up /proc/net/{tcp,tcp6}.
>>
>> As this opens a security hole, the fix replaces socket pointer address with
>> sockfd.
>>
>> Reported-by: Secunia Research <vuln@secunia.com>
>> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>
>>
>> ---
>>  drivers/usb/usbip/usbip_common.h     |    1 +
>>  drivers/usb/usbip/vhci_sysfs.c       |   25 +++++++++++++++----------
>>  tools/usb/usbip/libsrc/vhci_driver.c |    8 ++++----
>>  3 files changed, 20 insertions(+), 14 deletions(-)
>>
>> --- a/drivers/usb/usbip/usbip_common.h
>> +++ b/drivers/usb/usbip/usbip_common.h
>> @@ -261,6 +261,7 @@ struct usbip_device {
>>  	/* lock for status */
>>  	spinlock_t lock;
>>  
>> +	int sockfd;
>>  	struct socket *tcp_socket;
>>  
>>  	struct task_struct *tcp_rx;
>> --- a/drivers/usb/usbip/vhci_sysfs.c
>> +++ b/drivers/usb/usbip/vhci_sysfs.c
>> @@ -39,16 +39,20 @@ static ssize_t status_show(struct device
>>  
>>  	/*
>>  	 * output example:
>> -	 * prt sta spd dev socket           local_busid
>> -	 * 000 004 000 000         c5a7bb80 1-2.3
>> -	 * 001 004 000 000         d8cee980 2-3.4
>> +	 * port sta spd dev      sockfd local_busid
>> +	 * 0000 004 000 00000000 000003 1-2.3
>> +	 * 0001 004 000 00000000 000004 2-3.4
>>  	 *
>> -	 * IP address can be retrieved from a socket pointer address by looking
>> -	 * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a
>> -	 * port number and its peer IP address.
>> +	 * Output includes socket fd instead of socket pointer address to
>> +	 * avoid leaking kernel memory address in:
>> +	 *	/sys/devices/platform/vhci_hcd.0/status and in debug output.
>> +	 * The socket pointer address is not used at the moment and it was
>> +	 * made visible as a convenient way to find IP address from socket
>> +	 * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens
>> +	 * a security hole, the change is made to use sockfd instead.
>>  	 */
>>  	out += sprintf(out,
>> -		       "prt sta spd bus dev socket           local_busid\n");
>> +		       "prt sta spd bus dev sockfd local_busid\n");
>>  
>>  	for (i = 0; i < VHCI_NPORTS; i++) {
>>  		struct vhci_device *vdev = port_to_vdev(i);
>> @@ -60,11 +64,11 @@ static ssize_t status_show(struct device
>>  			out += sprintf(out, "%03u %08x ",
>>  				       vdev->speed, vdev->devid);
>>  			out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
>> +			out += sprintf(out, "%06u", vdev->ud.sockfd);
>>  			out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
> 
> This backport is wrong; it's still printing the pointer...
> 
> Eric
> 

Eric,

Yes I have a patch ready to send to fix this problem. My bad.

thanks,
-- Shuah