Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7922393rwb;
        Wed, 23 Nov 2022 12:39:44 -0800 (PST)
X-Google-Smtp-Source: AA0mqf4PmyKAK7DQbFGmSAkJBXnS9sqhum+55g3a6PyVDdq3ymZWwQ0P1O24+oIKumWl0DmoTY8p
X-Received: by 2002:a63:544b:0:b0:477:6336:dddf with SMTP id e11-20020a63544b000000b004776336dddfmr10388707pgm.371.1669235984690;
        Wed, 23 Nov 2022 12:39:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669235984; cv=none;
        d=google.com; s=arc-20160816;
        b=m6nqs2lgLDYLUCTEJSpHCOr2FiM4IduQNj2s3eHWOrxmncrg/88IfvLRUdKYS9zdPB
         KgbguzeYbctJDVYkdTyIzY6uJkr0kf7QJyezfgLWxno0pTb2K5g3m7FDVr4bpplOQDMA
         BmeVvLgONcpDsfweO7tJ6fBgyX4HBn1SLVFZVmXFf3kWP1h53t1sEwZqAR5s1QKIfZRm
         gIa/smExm3mWN7O8fX+CCnQ5SpFqmue+gplYaeaWwR7twdpm3JeqP+lAzRwvo9NyUgMt
         0Hn3ZjtK7Fqad43oPz6cHqFRONBcvVc2gJQGzTDwz7dztIkR3uU8MB2HaUyFE+B/Up/U
         NyZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=zjgLfIgymxMMYmWuqWPWGKjG2YLyiLx1k/rybg/+Fog=;
        b=RnuTR7LUNov2S3vBNxbUFnb/IR6g4O14doipINhbZJ/R9Ap1NA9pLauoCoD8mS7wer
         c1bmR5TJVpVzdaDMyugJPwJrwn7rqrSEIs5kl23VHzf7lKHeKZMtHMyax/W1UZJBHoqk
         h1zCAzz7+8CHyWRpKbjd5MSnyaNW3ENzoD+UecQ5/7UxY5gbUL6Xg+tL9IXsCwT4MH2m
         IG7a88WNYuD2b8dmX2sz+Jl91tuTr3sT09/reIpTcx0nlk5aSQ3dzToFkwytxP4De8+O
         8TONnwEm0ME99BZgd+RDX54UWLgSMSY1JXOFZAkvN5eqy3oV8eBZ7aa6CzXApKq4eEF7
         8YDw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=emU5TDI2;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id t10-20020a1709027fca00b001889ad48288si17168105plb.384.2022.11.23.12.39.31;
        Wed, 23 Nov 2022 12:39:44 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=emU5TDI2;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238741AbiKWUcH (ORCPT <rfc822;ray.jantz@gmail.com> + 68 others);
        Wed, 23 Nov 2022 15:32:07 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56044 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239629AbiKWUbN (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Wed, 23 Nov 2022 15:31:13 -0500
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4570C24942
        for <linux-wireless@vger.kernel.org>; Wed, 23 Nov 2022 12:27:50 -0800 (PST)
Received: by mail-il1-x131.google.com with SMTP id h2so8364384ile.11
        for <linux-wireless@vger.kernel.org>; Wed, 23 Nov 2022 12:27:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=zjgLfIgymxMMYmWuqWPWGKjG2YLyiLx1k/rybg/+Fog=;
        b=emU5TDI2MbojzF3Rj6h9/mvm8hyJXNIpA51tkz1gHiTfQayAEsPBQ8c57EjdSVqccs
         Xpq979Mpem08d0+/EvxAUPsR+Td15FmnKynt9RhYPWjx0E7slJCcosYZi9ctJgx1ibhP
         +fMSCtofTjP2GUS0UXEl/zFIlGfM9kvYGhVlAgeRCcT6GbRqa94SKJY+IVClsHzo+JQk
         KcKif6hEWTbot7A42BaIG/7YCGRlXEulSixW6AIArWBoMfkUCAVTT2s0WHP6oYcLE1co
         Sx7qud7gmKaHb/Yo7syu7hcKZAeY1zbeghQZqWoP5OT3X6K7Y/N1m0yKn6JPrWrLUWe+
         M9Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=zjgLfIgymxMMYmWuqWPWGKjG2YLyiLx1k/rybg/+Fog=;
        b=B5AEgatYfrUFSOez4qj+rO/OOYIAOsXmhM3nk4FawOuT1bw8TLtH8oaikqeOOXvS2h
         GUuoCRklm8o9r2O0LxL10xwFZuYtdhaNZZTPu+jGuc4Q+JU4JBgS4Za0FG5teOqT+hrq
         zyRJ1RAG5Lt6ifZAhP0zuZ5GiC5FSgakksRNXyyZPCxrfJk3CBh3kyfC2mKG2UJrDNFe
         ozHfEBiqh3pvevELHAnOVDfPlrCYA8cNMbhpySHRhlnI9gqzOTdeA0tEWvlWypp1r1mL
         A50PFxNq9giGcHfzseXs+5gyZPntkUBpbgkiWHkMKXzNQWtHBsQ/kSjCBrTbyeDBmOQd
         61Dg==
X-Gm-Message-State: ANoB5pmmvmUFdfdVs8QaZon3Bl0CssJ1rC4JbUByUq+ksRLQQb1MaVgI
        YF5XNJq/rdjLNZimDB/Ut7y23CU7DdejpUZvjnPrRA==
X-Received: by 2002:a92:6e07:0:b0:300:1f82:73e5 with SMTP id
 j7-20020a926e07000000b003001f8273e5mr4494601ilc.85.1669235269478; Wed, 23 Nov
 2022 12:27:49 -0800 (PST)
MIME-Version: 1.0
References: <20221123124620.1387499-1-gregkh@linuxfoundation.org>
In-Reply-To: <20221123124620.1387499-1-gregkh@linuxfoundation.org>
From:   =?UTF-8?Q?Maciej_=C5=BBenczykowski?= <maze@google.com>
Date:   Wed, 23 Nov 2022 12:27:37 -0800
Message-ID: <CANP3RGcno+UOsNTzqQ7XXjeOEQM+wseFramNNQyZ6U3bzc1yww@mail.gmail.com>
Subject: Re: [PATCH] USB: disable all RNDIS protocol drivers
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     linux-kernel@vger.kernel.org,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>, Kalle Valo <kvalo@kernel.org>,
        Oleksij Rempel <linux@rempel-privat.de>,
        Neil Armstrong <neil.armstrong@linaro.org>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>,
        Jacopo Mondi <jacopo@jmondi.org>,
        =?UTF-8?Q?=C5=81ukasz_Stelmach?= <l.stelmach@samsung.com>,
        Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
        linux-usb@vger.kernel.org, netdev@vger.kernel.org,
        linux-wireless@vger.kernel.org,
        Ilja Van Sprundel <ivansprundel@ioactive.com>,
        Joseph Tartaro <joseph.tartaro@ioactive.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Wed, Nov 23, 2022 at 4:46 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> The Microsoft RNDIS protocol is, as designed, insecure and vulnerable on
> any system that uses it with untrusted hosts or devices.  Because the
> protocol is impossible to make secure, just disable all rndis drivers to
> prevent anyone from using them again.
>
> Windows only needed this for XP and newer systems, Windows systems older
> than that can use the normal USB class protocols instead, which do not
> have these problems.
>
> Android has had this disabled for many years so there should not be any
> real systems that still need this.
>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Kalle Valo <kvalo@kernel.org>
> Cc: Oleksij Rempel <linux@rempel-privat.de>
> Cc: "Maciej =C5=BBenczykowski" <maze@google.com>
> Cc: Neil Armstrong <neil.armstrong@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>
> Cc: Jacopo Mondi <jacopo@jmondi.org>
> Cc: "=C5=81ukasz Stelmach" <l.stelmach@samsung.com>
> Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Cc: linux-usb@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-wireless@vger.kernel.org
> Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
> Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> Note, I'll submit patches removing the individual drivers for later, but
> that is more complex as unwinding the interaction between the CDC
> networking and RNDIS drivers is tricky.  For now, let's just disable all
> of this code as it is not secure.
>
> I can take this through the USB tree if the networking maintainers have
> no objection.  I thought I had done this months ago, when the last round
> of "there are bugs in the protocol!" reports happened at the end of
> 2021, but forgot to do so, my fault.
>
>  drivers/net/usb/Kconfig           | 1 +
>  drivers/net/wireless/Kconfig      | 1 +
>  drivers/usb/gadget/Kconfig        | 4 +---
>  drivers/usb/gadget/legacy/Kconfig | 3 +++
>  4 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/usb/Kconfig b/drivers/net/usb/Kconfig
> index 4402eedb3d1a..83f9c0632642 100644
> --- a/drivers/net/usb/Kconfig
> +++ b/drivers/net/usb/Kconfig
> @@ -401,6 +401,7 @@ config USB_NET_MCS7830
>  config USB_NET_RNDIS_HOST
>         tristate "Host for RNDIS and ActiveSync devices"
>         depends on USB_USBNET
> +       depends on BROKEN
>         select USB_NET_CDCETHER
>         help
>           This option enables hosting "Remote NDIS" USB networking links,

NACK.

I'm perfectly okay with disabling the gadget (guest/client/device)
side rndis drivers.
New devices (ie. phones) moving to newer kernels should simply be
switching to the NCM gadget drivers.
Especially since AFAICT this won't land until 6.2 and thus will
presumably not be in the 6.1 LTS and thus won't even end up in next
year's Android 14/U,
and instead will only be present on the absolutely freshest Android
15/V devices launching near the end of 2024 (or really in early 2025).
Additionally the gadget side upstream RNDIS implementation simply
isn't used by some chipset vendors - like Qualcomm (which AFAIK uses
an out of tree driver to provide rndis gadget with IPA hardware
offload acceleration).

However, AFAICT this patch is also disabling *HOST* side RNDIS driver suppo=
rt.

ie. the RNDIS driver you'd use on a Linux laptop to usb tether off of
an Android phone.

AFAICT this will break usb tethering off of the *vast* majority of
Android phones - likely including most of those currently being
manufactured and sold.

The only Android phones I'm actually aware of that have switched to
NCM instead of RNDIS for usb tethering are Google Pixel 6+ (ie.
6/6pro/6a/7/7pro).
Though it's possible there might be some relatively new hardware from
other phone vendors that also uses NCM - I don't track this that
closely...
I do know Android 13/T doesn't require phones to use NCM for
tethering, and I've not heard of any plans to change that with Android
14/U either...

Note that NCM isn't natively supported by Windows <10 and it required
a fair bit of 'guts' on our side to drop support for usb tethering
Windows 8.1 devices prior to Win 8.1 EOL (which is only this coming
January).

Yes, AFAICT, this patch as currently written will break usb tethering
off of a Google Pixel ../3/4/5,
and I'd assume any and all qualcomm chipset derived devices, etc...

ie. most likely the first of these two and possibly the second are required=
:
CONFIG_USB_NET_RNDIS_HOST=3Dm
CONFIG_USB_NET_RNDIS_WLAN=3Dm

(AFAIK the rndis host side driver is also used by various cell dongles
and portable cell hotspots)

[I also don't understand the commit description where it talks about
Windows XP - how is XP relevant? AFAIK the issue is with Win<10 not
WinXP]

> diff --git a/drivers/net/wireless/Kconfig b/drivers/net/wireless/Kconfig
> index cb1c15012dd0..f162b25123d7 100644
> --- a/drivers/net/wireless/Kconfig
> +++ b/drivers/net/wireless/Kconfig
> @@ -81,6 +81,7 @@ config USB_NET_RNDIS_WLAN
>         tristate "Wireless RNDIS USB support"
>         depends on USB
>         depends on CFG80211
> +       depends on BROKEN
>         select USB_NET_DRIVERS
>         select USB_USBNET
>         select USB_NET_CDCETHER
> diff --git a/drivers/usb/gadget/Kconfig b/drivers/usb/gadget/Kconfig
> index 4fa2ddf322b4..2c99d4313064 100644
> --- a/drivers/usb/gadget/Kconfig
> +++ b/drivers/usb/gadget/Kconfig
> @@ -183,9 +183,6 @@ config USB_F_EEM
>  config USB_F_SUBSET
>         tristate
>
> -config USB_F_RNDIS
> -       tristate
> -
>  config USB_F_MASS_STORAGE
>         tristate
>
> @@ -297,6 +294,7 @@ config USB_CONFIGFS_RNDIS
>         bool "RNDIS"
>         depends on USB_CONFIGFS
>         depends on NET
> +       depends on BROKEN
>         select USB_U_ETHER
>         select USB_F_RNDIS
>         help
> diff --git a/drivers/usb/gadget/legacy/Kconfig b/drivers/usb/gadget/legac=
y/Kconfig
> index 0a7b382fbe27..03d6da63edf7 100644
> --- a/drivers/usb/gadget/legacy/Kconfig
> +++ b/drivers/usb/gadget/legacy/Kconfig
> @@ -153,6 +153,7 @@ config USB_ETH
>  config USB_ETH_RNDIS
>         bool "RNDIS support"
>         depends on USB_ETH
> +       depends on BROKEN
>         select USB_LIBCOMPOSITE
>         select USB_F_RNDIS
>         default y
> @@ -247,6 +248,7 @@ config USB_FUNCTIONFS_ETH
>  config USB_FUNCTIONFS_RNDIS
>         bool "Include configuration with RNDIS (Ethernet)"
>         depends on USB_FUNCTIONFS && NET
> +       depends on BROKEN
>         select USB_U_ETHER
>         select USB_F_RNDIS
>         help
> @@ -427,6 +429,7 @@ config USB_G_MULTI
>  config USB_G_MULTI_RNDIS
>         bool "RNDIS + CDC Serial + Storage configuration"
>         depends on USB_G_MULTI
> +       depends on BROKEN
>         select USB_F_RNDIS
>         default y
>         help
> --
> 2.38.1
>
Maciej =C5=BBenczykowski, Kernel Networking Developer @ Google