diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-07-23 09:57:56 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-07-23 09:57:56 -0400 |
commit | 70aa95cb02a065d62faae88411df6434593c5c2d (patch) | |
tree | 6ac58ec70b7c27cea75c63f2eb3b6c4e00f614aa | |
parent | 4282eafe675b00afc976b973724e449956fd7e33 (diff) | |
download | longterm-queue-4.12-70aa95cb02a065d62faae88411df6434593c5c2d.tar.gz |
usbip: drop patch n/a to 4.12
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/series | 1 | ||||
-rw-r--r-- | queue/usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch | 132 |
2 files changed, 0 insertions, 133 deletions
diff --git a/queue/series b/queue/series index 37f2520..32af363 100644 --- a/queue/series +++ b/queue/series @@ -7,7 +7,6 @@ USB-uas-and-storage-Add-US_FL_BROKEN_FUA-for-another.patch USB-core-prevent-malicious-bNumInterfaces-overflow.patch usbip-fix-stub_rx-get_pipe-to-validate-endpoint-numb.patch usbip-fix-stub_rx-harden-CMD_SUBMIT-path-to-handle-m.patch -usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch usbip-fix-stub_send_ret_submit-vulnerability-to-null.patch mmc-core-apply-NO_CMD23-quirk-to-some-specific-cards.patch ceph-drop-negative-child-dentries-before-try-pruning.patch diff --git a/queue/usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch b/queue/usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch deleted file mode 100644 index 076f83e..0000000 --- a/queue/usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 Mon Sep 17 00:00:00 2001 -From: Shuah Khan <shuahkh@osg.samsung.com> -Date: Thu, 7 Dec 2017 14:16:49 -0700 -Subject: [PATCH] usbip: prevent vhci_hcd driver from leaking a socket pointer - address - -commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream. - -When a client has a USB device attached over IP, the vhci_hcd driver is -locally leaking a socket pointer address via the - -/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug -output when "usbip --debug port" is run. - -Fix it to not leak. The socket pointer address is not used at the moment -and it was made visible as a convenient way to find IP address from socket -pointer address by looking up /proc/net/{tcp,tcp6}. - -As this opens a security hole, the fix replaces socket pointer address with -sockfd. - -Reported-by: Secunia Research <vuln@secunia.com> -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - -diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h -index e5de35c8c505..473fb8a87289 100644 ---- a/drivers/usb/usbip/usbip_common.h -+++ b/drivers/usb/usbip/usbip_common.h -@@ -256,6 +256,7 @@ struct usbip_device { - /* lock for status */ - spinlock_t lock; - -+ int sockfd; - struct socket *tcp_socket; - - struct task_struct *tcp_rx; -diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c -index e78f7472cac4..091f76b7196d 100644 ---- a/drivers/usb/usbip/vhci_sysfs.c -+++ b/drivers/usb/usbip/vhci_sysfs.c -@@ -17,15 +17,20 @@ - - /* - * output example: -- * hub port sta spd dev socket local_busid -- * hs 0000 004 000 00000000 c5a7bb80 1-2.3 -+ * hub port sta spd dev sockfd local_busid -+ * hs 0000 004 000 00000000 3 1-2.3 - * ................................................ -- * ss 0008 004 000 00000000 d8cee980 2-3.4 -+ * ss 0008 004 000 00000000 4 2-3.4 - * ................................................ - * -- * IP address can be retrieved from a socket pointer address by looking -- * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a -- * port number and its peer IP address. -+ * Output includes socket fd instead of socket pointer address to avoid -+ * leaking kernel memory address in: -+ * /sys/devices/platform/vhci_hcd.0/status and in debug output. -+ * The socket pointer address is not used at the moment and it was made -+ * visible as a convenient way to find IP address from socket pointer -+ * address by looking up /proc/net/{tcp,tcp6}. As this opens a security -+ * hole, the change is made to use sockfd instead. -+ * - */ - static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vdev) - { -@@ -39,8 +44,8 @@ static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vd - if (vdev->ud.status == VDEV_ST_USED) { - *out += sprintf(*out, "%03u %08x ", - vdev->speed, vdev->devid); -- *out += sprintf(*out, "%16p %s", -- vdev->ud.tcp_socket, -+ *out += sprintf(*out, "%u %s", -+ vdev->ud.sockfd, - dev_name(&vdev->udev->dev)); - - } else { -@@ -160,7 +165,8 @@ static ssize_t nports_show(struct device *dev, struct device_attribute *attr, - char *s = out; - - /* -- * Half the ports are for SPEED_HIGH and half for SPEED_SUPER, thus the * 2. -+ * Half the ports are for SPEED_HIGH and half for SPEED_SUPER, -+ * thus the * 2. - */ - out += sprintf(out, "%d\n", VHCI_PORTS * vhci_num_controllers); - return out - s; -@@ -366,6 +372,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, - - vdev->devid = devid; - vdev->speed = speed; -+ vdev->ud.sockfd = sockfd; - vdev->ud.tcp_socket = socket; - vdev->ud.status = VDEV_ST_NOTASSIGNED; - -diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c -index 627d1dfc332b..c9c81614a66a 100644 ---- a/tools/usb/usbip/libsrc/vhci_driver.c -+++ b/tools/usb/usbip/libsrc/vhci_driver.c -@@ -50,14 +50,14 @@ static int parse_status(const char *value) - - while (*c != '\0') { - int port, status, speed, devid; -- unsigned long socket; -+ int sockfd; - char lbusid[SYSFS_BUS_ID_SIZE]; - struct usbip_imported_device *idev; - char hub[3]; - -- ret = sscanf(c, "%2s %d %d %d %x %lx %31s\n", -+ ret = sscanf(c, "%2s %d %d %d %x %u %31s\n", - hub, &port, &status, &speed, -- &devid, &socket, lbusid); -+ &devid, &sockfd, lbusid); - - if (ret < 5) { - dbg("sscanf failed: %d", ret); -@@ -66,7 +66,7 @@ static int parse_status(const char *value) - - dbg("hub %s port %d status %d speed %d devid %x", - hub, port, status, speed, devid); -- dbg("socket %lx lbusid %s", socket, lbusid); -+ dbg("sockfd %u lbusid %s", sockfd, lbusid); - - /* if a device is connected, look at it */ - idev = &vhci_driver->idev[port]; --- -2.15.0 - |