Received: by 10.223.176.5 with SMTP id f5csp1136440wra; Wed, 7 Feb 2018 13:21:59 -0800 (PST) X-Google-Smtp-Source: AH8x224xFYK/ymZ/EB453VVoiT+LkHOhN6nrLBGfjRGnBhZzmeoT+nZsi94UCrPP8noVfK09Ge4L X-Received: by 10.101.96.71 with SMTP id b7mr6120236pgv.339.1518038519706; Wed, 07 Feb 2018 13:21:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518038519; cv=none; d=google.com; s=arc-20160816; b=l/DJ/X+VGPhhncnRuBeXxLmmdQWrSrvfaNSgx7BvL5KjQf0TDN5dsjdSm228BLvwj0 m4fE5H+4sO7wve7Z/6XuECkj4B2gfWQi5LS0D2Zqgk3pivoGfe+EDRSHBhDWG8TWqVhe YM73u4+/yMnrhVl4AYBr2NjUmbqB2v6o6TTye6oV426DdXdoEs3kl7ynDoFmcxuXHODf yxfEEj2ds0m4ZxGJVQHgMj8a9ZlCbBabMVuWmBZYM5/p1V4V+5u6mvkcjtclL5ECfHM9 tlR1boXk3NpNt8Wa69iZt4FhTEjQQUXziB+hsrhxlbcgAHagYjq77r9qA+tLbcdDDX3U IKdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=yw2m25xukWsqWH5v0bgQ/I5uz1z9McPCpZWFI+jxXfI=; b=ehpQDS6xTDz4wsN38t7xlQ6kUiIuLhrX3Kdb6fERqYFPl2z66FuPYag95JkjC9hJjO QHVLOUeNdSpwoBT4WW3ZOzghBi7VQdvzH0Yev5edgWJNp5C8Bj8L6VcQwmRWp5/AksKo DO95kn9IPiRnafgBugSqJMU9iReJMmOehGRLgYHyNKuKnETFSiFd6y+Fc+gaT6ZnT2lv K8SD58Iinq1CX2E3E0KhV5ue2zocnpSRVFJSM0JDR/fPqyCjFhsTtybs5cfzf0aZqCMT riyd3W0JmkQkI2njczVhPa+cfyuoVN/TVFZ9j6mlQfrOP+mgojXm0YhhLpVjDjDlMMvf 0rUA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k192si1429785pgc.299.2018.02.07.13.21.46; Wed, 07 Feb 2018 13:21:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932350AbeBGVVI (ORCPT + 99 others); Wed, 7 Feb 2018 16:21:08 -0500 Received: from osg.samsung.com ([64.30.133.232]:57658 "EHLO osg.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932202AbeBGVVC (ORCPT ); Wed, 7 Feb 2018 16:21:02 -0500 Received: from localhost (localhost [127.0.0.1]) by osg.samsung.com (Postfix) with ESMTP id 951C01B298; Wed, 7 Feb 2018 13:21:01 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at dev.s-opensource.com X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" Received: from osg.samsung.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xz0V8tQRfV6S; Wed, 7 Feb 2018 13:21:00 -0800 (PST) Received: from localhost.localdomain (c-24-9-64-241.hsd1.co.comcast.net [24.9.64.241]) by osg.samsung.com (Postfix) with ESMTPSA id C7D311B26A; Wed, 7 Feb 2018 13:20:55 -0800 (PST) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org Cc: Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 3.18 3/9] usbip: prevent vhci_hcd driver from leaking a socket pointer address Date: Wed, 7 Feb 2018 14:20:26 -0700 Message-Id: <6ef62df7d7e421dbd71d065f7c1472a8d7c187e6.1518036867.git.shuahkh@osg.samsung.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org commit 2f2d0088eb93 ("usbip: prevent vhci_hcd driver from leaking a socket pointer address") When a client has a USB device attached over IP, the vhci_hcd driver is locally leaking a socket pointer address via the /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug output when "usbip --debug port" is run. Fix it to not leak. The socket pointer address is not used at the moment and it was made visible as a convenient way to find IP address from socket pointer address by looking up /proc/net/{tcp,tcp6}. As this opens a security hole, the fix replaces socket pointer address with sockfd. Reported-by: Secunia Research Signed-off-by: Shuah Khan --- drivers/usb/usbip/usbip_common.h | 1 + drivers/usb/usbip/vhci_sysfs.c | 26 +++++++++++++++----------- tools/usb/usbip/libsrc/vhci_driver.c | 8 ++++---- 3 files changed, 20 insertions(+), 15 deletions(-) diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h index 86b08475c254..f875ccaa55f9 100644 --- a/drivers/usb/usbip/usbip_common.h +++ b/drivers/usb/usbip/usbip_common.h @@ -261,6 +261,7 @@ struct usbip_device { /* lock for status */ spinlock_t lock; + int sockfd; struct socket *tcp_socket; struct task_struct *tcp_rx; diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c index 211f43f67ea2..f05f1e0a2baf 100644 --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c @@ -39,16 +39,20 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, /* * output example: - * prt sta spd dev socket local_busid - * 000 004 000 000 c5a7bb80 1-2.3 - * 001 004 000 000 d8cee980 2-3.4 + * prt sta spd dev sockfd local_busid + * 0000 004 000 00000000 000003 1-2.3 + * 0001 004 000 00000000 000004 2-3.4 * - * IP address can be retrieved from a socket pointer address by looking - * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a - * port number and its peer IP address. + * Output includes socket fd instead of socket pointer address to + * avoid leaking kernel memory address in: + * /sys/devices/platform/vhci_hcd.0/status and in debug output. + * The socket pointer address is not used at the moment and it was + * made visible as a convenient way to find IP address from socket + * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens + * a security hole, the change is made to use sockfd instead. */ out += sprintf(out, - "prt sta spd bus dev socket local_busid\n"); + "prt sta spd dev sockfd local_busid\n"); for (i = 0; i < VHCI_NPORTS; i++) { struct vhci_device *vdev = port_to_vdev(i); @@ -59,12 +63,11 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, if (vdev->ud.status == VDEV_ST_USED) { out += sprintf(out, "%03u %08x ", vdev->speed, vdev->devid); - out += sprintf(out, "%16p ", vdev->ud.tcp_socket); + out += sprintf(out, "%06u ", vdev->ud.sockfd); out += sprintf(out, "%s", dev_name(&vdev->udev->dev)); - } else { - out += sprintf(out, "000 000 000 0000000000000000 0-0"); - } + } else + out += sprintf(out, "000 00000000 000000 0-0"); out += sprintf(out, "\n"); spin_unlock(&vdev->ud.lock); @@ -223,6 +226,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, vdev->devid = devid; vdev->speed = speed; + vdev->ud.sockfd = sockfd; vdev->ud.tcp_socket = socket; vdev->ud.status = VDEV_ST_NOTASSIGNED; diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c index ad9204773533..1274f326242c 100644 --- a/tools/usb/usbip/libsrc/vhci_driver.c +++ b/tools/usb/usbip/libsrc/vhci_driver.c @@ -55,12 +55,12 @@ static int parse_status(const char *value) while (*c != '\0') { int port, status, speed, devid; - unsigned long socket; + int sockfd; char lbusid[SYSFS_BUS_ID_SIZE]; - ret = sscanf(c, "%d %d %d %x %lx %31s\n", + ret = sscanf(c, "%d %d %d %x %u %31s\n", &port, &status, &speed, - &devid, &socket, lbusid); + &devid, &sockfd, lbusid); if (ret < 5) { dbg("sscanf failed: %d", ret); @@ -69,7 +69,7 @@ static int parse_status(const char *value) dbg("port %d status %d speed %d devid %x", port, status, speed, devid); - dbg("socket %lx lbusid %s", socket, lbusid); + dbg("sockfd %u lbusid %s", sockfd, lbusid); /* if a device is connected, look at it */ -- 2.14.1