Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp893116rwp; Thu, 13 Jul 2023 02:53:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlEWgEsEYSsq0i/TZDmcWzwYVEI7ODRDgtrbeSxg358BLpDB+nWIUlteTNkbk5E41q9zqgha X-Received: by 2002:a05:6a00:17a0:b0:674:8fe0:126f with SMTP id s32-20020a056a0017a000b006748fe0126fmr1548046pfg.27.1689241988248; Thu, 13 Jul 2023 02:53:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689241988; cv=none; d=google.com; s=arc-20160816; b=yOP8mgLJbLyGtXL6y2r7Wajh3NE4UfVJqAuP8tt5KD5uqeAjkf40WftL2Iz1C8Cnoo c/y08SFzxtfG8vG1ULV+ZQYWgtKKIlKdBrRfpg/3rJp7Tj7sBXXWgM5OFQuxoke/sMGH jqQOvSHhcM8Q2dM0Is/HPpRfuPiyHpCxhpW98eH7sCkhIco0qqNtdwGq84gaQ0XGMvsl Wbs6CoMfw8QDo2lcwYVYgvnx6TKzpq/k1rJBjwM1FW4Mo5rDoxylODtH3zfWdLkSAriJ 4NW1JnvG2TCQ4b2uk85oPc0iNC5w5I94E9B5eVPDyQt1BRNN3PUcTrZyYoVq1njJp0/p sxig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ryqyAP9tKPKotwL6vu1Y1mHjFaSNUus4rsld5nnYfgw=; fh=1DZMjHwhtDIP/CQjlvbXnhVAgNvQqT/Xe+9njWnlJdw=; b=DFJyscDNhODudWGuuKxyX72pK80eUDCKUbXGSO6JO2t0bTI0nuTefrvFVMVEJrfczN u8OU24qKTCJGDJ8pLWSp/NWOU8FjVDLXWrZxYVt89JgvkgiVZTrA5IqTS+ZTvFEkMnfk CZENxO1iaW+noGtr+EHZx+i45FcF/H+f+jRYf+oepIHrWT1H+WO1M35d3DGEANSqyovB funEXWKUMfwNSJKZHlVuI9OViLsg7uSaweYK+BCqwtQKjlstdpvrBrt7miik1XYYJde6 yFQdGz4xUbRP0gy8ZlW6ZTX7ytlAr2DqGekNBSut/dx7tKBr11uEX1yY+yEQyL2o/wwZ ba9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=N8rSQAjl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v20-20020a056a00149400b0067e5edde6eesi5002231pfu.302.2023.07.13.02.52.53; Thu, 13 Jul 2023 02:53:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=N8rSQAjl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233787AbjGMJtr (ORCPT + 99 others); Thu, 13 Jul 2023 05:49:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35948 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232323AbjGMJtp (ORCPT ); Thu, 13 Jul 2023 05:49:45 -0400 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6570F212D for ; Thu, 13 Jul 2023 02:49:43 -0700 (PDT) Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-401d1d967beso208761cf.0 for ; Thu, 13 Jul 2023 02:49:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689241782; x=1691833782; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ryqyAP9tKPKotwL6vu1Y1mHjFaSNUus4rsld5nnYfgw=; b=N8rSQAjlrQXU12Xu6CXnyjqbGWrJsRbPMdvfW5lexfRs8KSdvhxCMMV37SYjqmOxq6 cAz6C8dWisIxCw0/HL0AjpmvQeEBgIDV3S++YV2Qd5odLidGHOg5ZcFNsxpH6/sG5yx+ EXD4y92NBKX6LTAOFRlEznn7fDkENIYw+GLO4k0nh5lg3BYkhFIKQjrP2Th4PuXIrZeA IUUlGtDsF+BlxIyYQUXwUR3sNe+f1x31iGPx2I2b4uOyUL3jnjSF8auy+fI2I1QJFyzn I5EzGiK0UHfKgum7NtMhDMkLWnH2KSQLNhCY0T8mtWvubETEcisTjjZz0Y460cNV/1mF aZUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689241782; x=1691833782; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ryqyAP9tKPKotwL6vu1Y1mHjFaSNUus4rsld5nnYfgw=; b=LGxLPsE5BuMrli5LhDV+NsYIbT7OGPJvcESyfwHMIiUeDXkwpHlZ0uwXdRFgyF8nJ6 hlZ9ukldImAJ0lMu7NYNSoDwztG6n/MrSldsmYkxbMR9SlJK7l9ylNmTSxA4T1B1/qOc euPR9bUPw+O9Vahin/SzjQPDj1Eh2mOjQ1AIctVl5+Hv4AwzYUX5u7qoXbjHT/Apztev F4sOMmjRdXv0LZW4QTQNmreS3LUOEaPJumy3wh/WYAYH2GJnBEFMdYxzuuXt2XRQopLO I3Es9HN2ZgvXtj39bX/mgPd0KTlryEFshn5gCwasX4krdP61CFHuN8xQBVyVFCRbZkEi nQNg== X-Gm-Message-State: ABy/qLbD5iWOqDZmoHGwcGL3uanCPXDt+itK4yv5Xpk6JqlXxGo4tXAl +aOHZLjO4MO+ENwEE6LnVK1VZ9wEuaMqJPJ3FUlKUg== X-Received: by 2002:a05:622a:58d:b0:403:59cb:66c4 with SMTP id c13-20020a05622a058d00b0040359cb66c4mr423533qtb.23.1689241782406; Thu, 13 Jul 2023 02:49:42 -0700 (PDT) MIME-Version: 1.0 References: <20221123124620.1387499-1-gregkh@linuxfoundation.org> <2023070430-fragment-remember-2fdd@gregkh> <6a4a8980912380085ea628049b5e19e38bcd8e1d.camel@sipsolutions.net> <2023071222-asleep-vacancy-4cfa@gregkh> <2d26c0028590a80e7aa80487cbeffd5ca6e6a5ea.camel@sipsolutions.net> <2023071333-wildly-playroom-878b@gregkh> In-Reply-To: From: =?UTF-8?Q?Maciej_=C5=BBenczykowski?= Date: Thu, 13 Jul 2023 11:49:31 +0200 Message-ID: Subject: Re: [PATCH] USB: disable all RNDIS protocol drivers To: Oliver Neukum Cc: Greg Kroah-Hartman , Johannes Berg , Enrico Mioso , Jan Engelhardt , linux-kernel@vger.kernel.org, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Kalle Valo , Oleksij Rempel , Neil Armstrong , Mauro Carvalho Chehab , Andrzej Pietrasiewicz , Jacopo Mondi , =?UTF-8?Q?=C5=81ukasz_Stelmach?= , Laurent Pinchart , linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-wireless@vger.kernel.org, Ilja Van Sprundel , Joseph Tartaro Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I know the NCM protocol a *lot* better than I do RNDIS, but... RNDIS is just passing around chunks of memory (packets with some metadata) over a usb channel. *Any and all* exploits can be fixed - this isn't a complex DMA level HW problem like pcie or firewire. The trouble is finding the problems (ie. the places where input validation is missing or wrong). Indeed if you can write an exploit, it means you understand the problem well enough to fix it, and indeed fixing it is going to be *much* easier than writing the exploit. (the hard part is finding the problems) The (rndis host) code could probably be audited - the protocol is not (afaik) that complex, nor is the driver all that large. I no longer have the email reporting the problems (deleted in a mass inbox zero purge by mistake), but from what I recall at least a few of them should have been fixable by making types unsigned instead of signed and the like. (ie. adding basic checks for whether values are in range) As for things we can do: - I think we can outright delete Linux' RNDIS gadget side code - that should be half the problem. Why? Because Linux/Mac support better protocols (CDC NCM) and Windows 10+ NCM support exists too. (though the windows driver is afaik a little bit buggier than I'd like...) Android devices (phones, etc) that support RNDIS gadget side don't (AFAIK) use the upstream rndis gadget code anyway, they use out-of-tree versions with offload support (at least afaik that's the case for qualcomm chipsets). Devices without hw reasons (offload) to use RNDIS can just switch to NCM. Deleting it in Linux 6.~5+ doesn't affect older Linux versions anyway, so it doesn't affect any older devices... (Though deleting the code does mean we lose the ability to test linux host side with linux gadget side... I guess you can always just use an old kernel (or even just an old phone) on the gadget side to test that combo...) - I think we could change the RNDIS host side driver to be default disabled (or even experimental) However, be aware people (Linux users wanting to usb tether their laptops off of most Android phones out there) will complain if we do this and distros will end up enabling them anyway. What we should really do is just start finding/fixing the bugs in the rndis_host side. It *cannot* be that hard. If someone re-forwards me the kernel-security report, I promise to send back at least a few fixes...