Received: by 10.223.185.116 with SMTP id b49csp823005wrg; Sat, 10 Feb 2018 21:13:25 -0800 (PST) X-Google-Smtp-Source: AH8x2271QVtWUqQ7k6KMdRm5eBYVYFz+EwD87g1ibVJqGsQDA4NvnG2oLBzVsoq4W7kTHeEsIr1p X-Received: by 2002:a17:902:7404:: with SMTP id g4-v6mr3106005pll.235.1518326005785; Sat, 10 Feb 2018 21:13:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518326005; cv=none; d=google.com; s=arc-20160816; b=AzfaSRBS/eEvi7wzEYNsa6B+AncBCuVnfgu4Hng/uQFLFKLm3pEMGMM1nJrCAuw3BB 5NP+WxFI0l2J9qbb2b3lMk0sEboujgBJZP1F4XYPBAFEjhzjv1N4DEGu4IZMdbVd8ykM NNqelUCnSSJxrJ54RdPlKYFQ3hXJTlPnJ2iHCdcpxlk9TtInvLpOn0zlxZ3PcoEl7lyg 1IUMWI3JKf8zAj9p/CyZ0tTFsVzNgR6m4Fmk0O40XLgdZ55xs5xJdxRc3156vb8olhyl XO45hHr2Q7hbYG+gpQbIY/vPRjMz5XUZPFx/N3mmAZ3FUKDwcl3xzkmOm9Xsd6mfZQSv AWSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=BcMvjtfxidHho9ikrOlsXR4gg4QouDoo0serhxfGnhE=; b=nh/3dGrIirz2JbttKEvGMOnK5WOZhSKt4hzXaHQDkkxkMGdwB0nESX0atvKz7peILD eN91+PlkbWtXA/pugKxdAn2QD/p9cgEW1UJ8LP3v4QGSvOMpy+RTvg8Wzm6GlPtjwd+O +yvfyiInLUL5gmzhd2uPTIK9C5h+ely0+nzlliZyyoNtRJYVhAzvdDpNj5LbSLxQ1IH4 uFz1Q9aQwtiP3nHFWkqZAmaTJM80F6OgOpY2Uc10YLfX3FQ3+/5tVYvnbfSPQr8bSYJP Hfyms8doB+eisrHRKePRlNtMEwG2IbO4VHj3aZKpwvB1nMWrB1jnYA4lf6XRcHzNli0S +BcA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o3-v6si3982211plk.533.2018.02.10.21.13.12; Sat, 10 Feb 2018 21:13:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754042AbeBKFMh (ORCPT + 99 others); Sun, 11 Feb 2018 00:12:37 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41391 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752619AbeBKEdl (ORCPT ); Sat, 10 Feb 2018 23:33:41 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ekjKd-0002hA-0h; Sun, 11 Feb 2018 04:33:39 +0000 Received: from ben by deadeye with local (Exim 4.90) (envelope-from ) id 1ekjKY-0004XT-Vl; Sun, 11 Feb 2018 04:33:34 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Greg Kroah-Hartman" , "Shuah Khan" , "Secunia Research" Date: Sun, 11 Feb 2018 04:20:06 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.2 75/79] usbip: prevent vhci_hcd driver from leaking a socket pointer address In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.2.99-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Shuah Khan commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream. When a client has a USB device attached over IP, the vhci_hcd driver is locally leaking a socket pointer address via the /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug output when "usbip --debug port" is run. Fix it to not leak. The socket pointer address is not used at the moment and it was made visible as a convenient way to find IP address from socket pointer address by looking up /proc/net/{tcp,tcp6}. As this opens a security hole, the fix replaces socket pointer address with sockfd. Reported-by: Secunia Research Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: - usbip port status does not include hub type - Adjust filenames, context, indentation] Signed-off-by: Ben Hutchings --- drivers/staging/usbip/usbip_common.h | 1 + drivers/staging/usbip/vhci_sysfs.c | 25 ++++++++++++++++--------- drivers/staging/usbip/userspace/libsrc/vhci_driver.c | 8 ++++---- 3 files changed, 21 insertions(+), 13 deletions(-) --- a/drivers/staging/usbip/usbip_common.h +++ b/drivers/staging/usbip/usbip_common.h @@ -276,6 +276,7 @@ struct usbip_device { /* lock for status */ spinlock_t lock; + int sockfd; struct socket *tcp_socket; struct task_struct *tcp_rx; --- a/drivers/staging/usbip/vhci_sysfs.c +++ b/drivers/staging/usbip/vhci_sysfs.c @@ -38,13 +38,18 @@ static ssize_t show_status(struct device /* * output example: - * prt sta spd dev socket local_busid - * 000 004 000 000 c5a7bb80 1-2.3 - * 001 004 000 000 d8cee980 2-3.4 + * prt sta spd dev sockfd local_busid + * 000 004 000 000 3 1-2.3 + * 001 004 000 000 4 2-3.4 + * + * Output includes socket fd instead of socket pointer address to avoid + * leaking kernel memory address in: + * /sys/devices/platform/vhci_hcd.0/status and in debug output. + * The socket pointer address is not used at the moment and it was made + * visible as a convenient way to find IP address from socket pointer + * address by looking up /proc/net/{tcp,tcp6}. As this opens a security + * hole, the change is made to use sockfd instead. * - * IP address can be retrieved from a socket pointer address by looking - * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a - * port number and its peer IP address. */ out += sprintf(out, "prt sta spd bus dev socket " "local_busid\n"); @@ -58,7 +63,7 @@ static ssize_t show_status(struct device if (vdev->ud.status == VDEV_ST_USED) { out += sprintf(out, "%03u %08x ", vdev->speed, vdev->devid); - out += sprintf(out, "%16p ", vdev->ud.tcp_socket); + out += sprintf(out, "%u", vdev->ud.sockfd); out += sprintf(out, "%s", dev_name(&vdev->udev->dev)); } else { @@ -215,6 +220,7 @@ static ssize_t store_attach(struct devic vdev->devid = devid; vdev->speed = speed; + vdev->ud.sockfd = sockfd; vdev->ud.tcp_socket = socket; vdev->ud.status = VDEV_ST_NOTASSIGNED; --- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c +++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c @@ -63,12 +63,12 @@ static int parse_status(char *value) while (*c != '\0') { int port, status, speed, devid; - unsigned long socket; + int sockfd; char lbusid[SYSFS_BUS_ID_SIZE]; - ret = sscanf(c, "%d %d %d %x %lx %31s\n", + ret = sscanf(c, "%d %d %d %x %u %31s\n", &port, &status, &speed, - &devid, &socket, lbusid); + &devid, &sockfd, lbusid); if (ret < 5) { dbg("sscanf failed: %d", ret); @@ -77,7 +77,7 @@ static int parse_status(char *value) dbg("port %d status %d speed %d devid %x", port, status, speed, devid); - dbg("socket %lx lbusid %s", socket, lbusid); + dbg("sockfd %u lbusid %s", sockfd, lbusid); /* if a device is connected, look at it */