Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7616037rwb; Wed, 23 Nov 2022 08:36:33 -0800 (PST) X-Google-Smtp-Source: AA0mqf5i2DRpKY2OR6doU5a3RssRNR2CyqcGpSes2U6FkUj2qJ//dWhEc9gNX31qZZKg7yCSeeo+ X-Received: by 2002:a05:6402:1802:b0:461:72cb:e5d with SMTP id g2-20020a056402180200b0046172cb0e5dmr18161102edy.410.1669221393026; Wed, 23 Nov 2022 08:36:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669221393; cv=none; d=google.com; s=arc-20160816; b=tOfUB47DlA0XYMiz3RhG+4wCZW8MB1tYCPeMR8mEeExR9FSuaSfy9J07sBpXbULVbA 3Y4dbzWd6ETirqXfyUbTMmO4q/fVCa9GFFz7E6XbksMK2DNZ/INAJ+ZqnhyP50tdOcvZ TBwvSSGcoohiVagItBXuJWi0LfzlC0sDNGfprfhLAjQxuSTsHWfVfKS61M+RODGIcCWz h0Kt0R5PECSg1o2tZBa/Qh1h/Tpo1VYCnoZpnQKxJSPL2LqEpVIa8GQlICZ9WMV5wRTa 9y2OOctxSiFlFvP4oskop0z7lSZkL1rP0SdAVKBdhOy2TogVsOLlM8whxc7wLhakkNpQ 8BTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=aoAeMEdmL2MvS8jsSZitNEibkl3qtsPxiMd3aeqhHUA=; b=PSNhWnZKLuCHsR3Ypal3ZYTLtUK3fmm0fzCpMpxEb2etag1eSIghyJJajPUxaDve5b Z0CgMKuUgdCJzkcEOFimPKN4YXp/cnoyxCu7KyoGRjbSVnu1IjRXdg9cEPohtDgqD/t+ oj+y9K//v0f6OdNRoehuH1MfhQ0CBG4h4rLD6wxv17pJBvSllKW4ixzxHB6VUVQfU7OH q295jWHnCX2dcg7wFUDPodeC8wFAKveVv2LwZ+J8lo4+J4qrWvpn2p69ZcG93Z2ObLfa UNPzOnt8p/d1D1cS0rGMdIUKroQTEYpUE4XTt2p62vExBZMErU1fB10JjEEl4TZJcaoN aKZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b="s/OgaVQk"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pj17-20020a170906d79100b007a45e4f4ff0si9182196ejb.885.2022.11.23.08.36.11; Wed, 23 Nov 2022 08:36:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b="s/OgaVQk"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239121AbiKWQ2O (ORCPT + 68 others); Wed, 23 Nov 2022 11:28:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239112AbiKWQ1r (ORCPT ); Wed, 23 Nov 2022 11:27:47 -0500 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC2A319022; Wed, 23 Nov 2022 08:27:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=MIME-Version:Content-Transfer-Encoding: Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To: Resent-Cc:Resent-Message-ID; bh=aoAeMEdmL2MvS8jsSZitNEibkl3qtsPxiMd3aeqhHUA=; t=1669220866; x=1670430466; b=s/OgaVQksgPM11mqnSsPiDaP/NHFjYR7vVz5JDzgEBnWuA7 Hp44u74sLT+yntwaTD8CCxLn+EZTANA5GdKOcye2SxWUbq4U5b6Rh1bzt73N7q4ni8gSfDVQogkVL L1pYiIpeL5Qe0u+g3RJD1Cv0Zg3s+ryE82iNpqd8TYcOtPdPg/dTM1sjTzlmsn21oT33L/WEkf8pn TUC88MYM+pg548J0DDcYfyV/2mB8iBHrUElcnFWJo43dndQATe9LNBFOitONGNla9llEz8SFbIhdO Slkry0S1Wb8g28ZmEnhTdIhidJ+OA7QayG+EWpeAk4uqOWmRr7xAtmrBkUQ0gjPQ==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1oxsay-007Fjd-0F; Wed, 23 Nov 2022 17:27:32 +0100 Message-ID: Subject: Re: [PATCH] USB: disable all RNDIS protocol drivers From: Johannes Berg To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Kalle Valo , Oleksij Rempel , Maciej =?UTF-8?Q?=C5=BBenczykowski?= , Neil Armstrong , Mauro Carvalho Chehab , Andrzej Pietrasiewicz , Jacopo Mondi , =?UTF-8?Q?=C5=81ukasz?= Stelmach , Laurent Pinchart , linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-wireless@vger.kernel.org, Ilja Van Sprundel , Joseph Tartaro Date: Wed, 23 Nov 2022 17:27:30 +0100 In-Reply-To: References: <20221123124620.1387499-1-gregkh@linuxfoundation.org> <9b78783297db1ebb1a7cd922be7eef0bf33b75b9.camel@sipsolutions.net> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4 (3.44.4-2.fc36) MIME-Version: 1.0 X-malware-bazaar: not-scanned X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Wed, 2022-11-23 at 16:05 +0100, Greg Kroah-Hartman wrote: > On Wed, Nov 23, 2022 at 03:20:36PM +0100, Johannes Berg wrote: > > On Wed, 2022-11-23 at 13:46 +0100, Greg Kroah-Hartman wrote: > > > The Microsoft RNDIS protocol is, as designed, insecure and vulnerable= on > > > any system that uses it with untrusted hosts or devices. Because the > > > protocol is impossible to make secure, just disable all rndis drivers= to > > > prevent anyone from using them again. > > >=20 > >=20 > > Not that I mind disabling these, but is there any more detail available > > on this pretty broad claim? :) >=20 > I don't want to get into specifics in public any more than the above. Fair. > The protocol was never designed to be used with untrusted devices. It > was created, and we implemented support for it, when we trusted USB > devices that we plugged into our systems, AND we trusted the systems we > plugged our USB devices into. So at the time, it kind of made sense to > create this, and the USB protocol class support that replaced it had not > yet been released. >=20 > As designed, it really can not work at all if you do not trust either > the host or the device, due to the way the protocol works. And I can't > see how it could be fixed if you wish to remain compliant with the > protocol (i.e. still work with Windows XP systems.) I guess I just don't see how a USB-based protocol can be fundamentally insecure (to the host), when the host is always in control over messages and parses their content etc.? I can see this with e.g. firewire which must allow DMA access, and now with Thunderbolt we have the same and ended up with boltd, but USB? > Today, with untrusted hosts and devices, it's time to just retire this > protcol. As I mentioned in the patch comments, Android disabled this > many years ago in their devices, with no loss of functionality. I'm not sure Android counts that much, FWIW, at least for WiFi there really is no good reason to plug in a USB WiFi dongle into an Android phone, and quick googling shows that e.g. Android TV may - depending on build - support/permit RNDIS Ethernet? Anyway, there was probably exactly one RNDIS WiFi dongle from Broadcom (for some kind of console IIRC), so it's not a huge loss. Just having issues with the blanket statement that a USB protocol can be designed as inscure :) johannes