Re: [PATCH] usbip: vhci_hcd: Check rhport everywhere in vhci_hub_control()

Hi Ben, Thanks for the patch. On 10/10/2018 11:30 PM, Ben Hutchings wrote: > Commit 5b22f676118f "usbip: vhci_hcd: check rhport before using in > vhci_hub_control()" added some validation of rhport, but left > several problems: > > - If VHCI_HC_PORTS < 256, we can get rhport >= VHCI_HC_PORTS

Re: [PATCH] usbip: Fix misuse of strncpy()

On 07/26/2018 04:39 AM, Ben Hutchings wrote: > On Tue, 2018-07-24 at 11:04 -0600, Shuah Khan wrote: >> On 07/20/2018 08:12 PM, Ben Hutchings wrote: >>> gcc 8 reports: >>> >>> usbip_device_driver.c: In function ‘read_usb_vudc_device’: >>> usbip_devi

Re: [PATCH] usbip: Fix misuse of strncpy()

On 07/20/2018 08:12 PM, Ben Hutchings wrote: > gcc 8 reports: > > usbip_device_driver.c: In function ‘read_usb_vudc_device’: > usbip_device_driver.c:106:2: error: ‘strncpy’ specified bound 256 equals > destination size [-Werror=stringop-truncation] > strncpy(dev->path, path, SYSFS_PATH_MAX); >

Re: [PATCH v3] usbip: dynamically allocate idev by nports found in sysfs

On 05/23/2018 03:22 AM, Michael Grzeschik wrote: > As the amount of available ports varies by the kernels build > configuration. To remove the limitation of the fixed 128 ports > we allocate the amount of idevs by using the number we get > from the kernel. > > Signed-off-by: Michael Grzeschik

Re: [PATCH v2] usbip: dynamically allocate idev by nports found in sysfs

On 05/22/2018 11:04 AM, Michael Grzeschik wrote: > As the amount of available ports varies by the kernels build > configuration. To remove the limitation of the fixed 128 ports > we allocate the amount of idevs by using the number we get > from the kernel. > > Signed-off-by: Michael Grzeschik

Re: [PATCH] usbip: dynamically allocate idev by nports found in sysfs

Hi Michael, Thanks for the patch. Couple of comments below: On 05/18/2018 08:39 AM, Michael Grzeschik wrote: > As the amount of available ports varies by the kernels build > configuration. To remove the limitation of the fixed 128 ports > we allocate the amount of idevs by using the number we

Re: [PATCH v3] usbip: vhci_sysfs: fix potential Spectre v1

v_nr, __u32 *rhport, > + enum usb_device_speed speed) > { > if (!valid_port(pdev_nr, rhport)) { > return 0; > @@ -322,7 +330,7 @@ static ssize_t attach_store(struct device *dev, struct > device_attribute *attr, >

Re: [PATCH v2] usbip: vhci_sysfs: fix potential Spectre v1

On 05/18/2018 07:47 AM, Greg Kroah-Hartman wrote: > On Thu, May 17, 2018 at 03:16:28PM -0500, Gustavo A. R. Silva wrote: >> pdev_nr and rhport can be controlled by user-space, hence leading to >> a potential exploitation of the Spectre variant 1 vulnerability. >> >> This issue was detected with

[PATCH] usbip: usbip_host: fix bad unlock balance during stub_probe()

7c ("usbip: usbip_host: fix NULL-ptr deref and use-after-free errors") in usb-linus Signed-off-by: Shuah Khan (Samsung OSG) <sh...@kernel.org> --- drivers/usb/usbip/stub_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/usbip/stub_main.c b/dri

[PATCH] usbip: usbip_host: fix NULL-ptr deref and use-after-free errors

() and stub_device_rebind() call put_busid_priv() to release the busid lock before returning. This changes fixes the unprotected code paths eliminating the race conditions in updating the busid entries. Signed-off-by: Shuah Khan (Samsung OSG) <sh...@kernel.org> --- drivers/usb/usbip/stub.h

Re: [REBASED PATCH 1/2] usbip: usbip_host: delete device from busid_table after rebind

On 04/30/2018 04:48 PM, Greg KH wrote: > On Mon, Apr 30, 2018 at 04:17:19PM -0600, Shuah Khan (Samsung OSG) wrote: >> Device is left in the busid_table after unbind and rebind. Rebind >> initiates usb bus scan and the original driver claims the device. >> After rescan the dev

[REBASED PATCH 2/2] usbip: usbip_host: run rebind from exit when module is removed

the devices to their original drivers. This includes cleanup changes and moving device_attach() code to a common routine to be called from rebind_store() and usbip_host_exit(). Signed-off-by: Shuah Khan (Samsung OSG) <sh...@kernel.org> --- drivers/usb/usbip/stub_dev.c | 6 + drive

[REBASED PATCH 1/2] usbip: usbip_host: delete device from busid_table after rebind

. Signed-off-by: Shuah Khan (Samsung OSG) <sh...@kernel.org> --- drivers/usb/usbip/stub_main.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c index d41d0cdeec0f..fb46bd62d538 100644 --- a/drivers/usb/usbip/stub_main.c

[PATCH 3/3] usbip: usbip_host: run rebind from exit when module is removed

the devices to their original drivers. This includes cleanup changes and moving device_attach() code to a common routine to be called from rebind_store() and usbip_host_exit(). Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/stub_dev.c | 6 + drivers/usb

[PATCH 1/3] usbip: usbip_host: refine probe and disconnect debug msgs to be useful

Refine probe and disconnect debug msgs to be useful and say what is in progress. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/stub_dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb

[PATCH 2/3] usbip: usbip_host: delete device from busid_table after rebind

. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/stub_main.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c index d41d0cdeec0f..fb46bd62d538 100644 --- a/drivers/usb/usbip/stub_main.c +++ b/drive

Re: [PATCH] usbip: vhci_hcd: check rhport before using in vhci_hub_control()

On 04/06/2018 02:01 AM, Sergei Shtylyov wrote: > Hello! > > On 4/6/2018 1:31 AM, Shuah Khan wrote: > >> Validate !rhport < 0 before using it to access port_status array. > >    Why '!'? > I should have explained it better in the commit log. rhport is set bas

[PATCH] usbip: vhci_hcd: check rhport before using in vhci_hub_control()

Validate !rhport < 0 before using it to access port_status array. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/vhci_hcd.c | 13 + 1 file changed, 13 insertions(+) diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index 20e

[PATCH] usbip: usbip_event: fix to not print kernel pointer address

Fix it to not print kernel pointer address. Remove the conditional and debug message as it isn't very useful. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Cc: stable <sta...@vger.kernel.org> --- drivers/usb/usbip/usbip_event.c | 4 1 file changed, 4 deletions(-) diff --g

[PATCH] usbip: usbip_host: fix to hold parent lock for device_attach() calls

usbip_host calls device_attach() without holding dev->parent lock. Fix it. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Cc: stable <sta...@vger.kernel.org> --- drivers/usb/usbip/stub_main.c | 5 + 1 file changed, 5 insertions(+) diff --git a/drivers/usb/usbip/stub_m

Re: [PATCH] usbip: vhc_hcd: prevent module being removed while device are attached

On 04/05/2018 10:42 AM, Sasha Levin wrote: > Hi. > > [This is an automated email] > > This commit has been processed by the -stable helper bot and determined > to be a high probability candidate for -stable trees. (score: 13.1846) > > The bot has tested the following trees: v4.15.15, v4.14.32,

Re: [PATCH] usbip: vhci_hcd: Fix usb device and sockfd leaks

On 04/05/2018 10:42 AM, Sasha Levin wrote: > Hi. > > [This is an automated email] > > This commit has been processed by the -stable helper bot and determined > to be a high probability candidate for -stable trees. (score: 10.6103) > > The bot has tested the following trees: v4.15.15, v4.14.32,

Re: [PATCH] usbip: vhc_hcd: prevent module being removed while device are attached

On 04/04/2018 02:25 AM, Oliver Neukum wrote: > Am Dienstag, den 03.04.2018, 09:56 -0600 schrieb Shuah Khan: >> This is a virtual device associated to a real physical device on a different >> system. My concern is that if the module gets removed accidentally then it >>

Re: [PATCH] usbip: vhc_hcd: prevent module being removed while device are attached

On 04/03/2018 12:56 AM, Greg KH wrote: > On Mon, Apr 02, 2018 at 02:52:31PM -0600, Shuah Khan wrote: >> vhci_hcd module can be removed even when devices are attached. Fix to >> prevent module removal when devices are still attached. >> >> Signed-off-by: Shuah Kh

Re: [PATCH] usbip: vhci_hcd: Fix usb device and sockfd leaks

On 04/03/2018 12:56 AM, Greg KH wrote: > On Mon, Apr 02, 2018 at 02:52:32PM -0600, Shuah Khan wrote: >> vhci_hcd fails to do reset to put usb device and sockfd in the >> module remove/stop paths. Fix the leak. >> >> Signed-off-by: Shuah Khan <shua...@osg.samsung.c

[PATCH] usbip: vhci_hcd: Fix usb device and sockfd leaks

vhci_hcd fails to do reset to put usb device and sockfd in the module remove/stop paths. Fix the leak. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/usbip_common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/usbip/usbip_comm

[PATCH] usbip: vhc_hcd: prevent module being removed while device are attached

vhci_hcd module can be removed even when devices are attached. Fix to prevent module removal when devices are still attached. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/vhci_sysfs.c | 25 + 1 file changed, 21 insertions(+), 4 del

[PATCH] usbip: tools: usbipd: exclude exported devices from exportable device list

-by: Shuah Khan <shua...@osg.samsung.com> --- tools/usb/usbip/src/usbipd.c | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/tools/usb/usbip/src/usbipd.c b/tools/usb/usbip/src/usbipd.c index f8ff735eb100..32864c52942d 100644 --- a/tools/usb/usbip/src/usbipd.c +++ b

[PATCH 2/3] usbip: usbip_host_common: Use new error codes to return request status

Currently ST_OK and ST_NA are the only values used to communicate status of a request from a client. Use new error codes to clearly indicate what failed. For example, when client sends request to import a device that isn't export-able, send ST_DEV_BUSY to the client. Signed-off-by: Shuah Khan

[PATCH 1/3] usbip: tools: add more error codes for usbip request/reply messages

. Existing defines are moved to a common header in libsrc to be included in the libusbip_la-usbip_common.o to be used by all the usbip tools. Supporting interface to print error strings is added to the common lib. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- tools/usb/usbip/

[PATCH 3/3] usbip: tools: change to use new error codes in server reply messages

) - when a client requests a device that isn't exportable, usbip attach -r server_name -b 3-10.4 usbip: error: Attach Request for 3-10.4 failed - Device not found Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- tools/usb/usbip/src/usbip_attach.c | 11 +-- tools/usb/usb

[PATCH 0/3] More error codes for usbip request/reply messages

failed - Device not found Shuah Khan (3): usbip: tools: add more error codes for usbip request/reply messages usbip: usbip_host_common: Use new error codes to return request status usbip: tools: change to use new error codes in server reply messages tools/usb/usbip/libsrc/usbip_common.c

Re: [PATH 0/4] usbip: make vhci_hcd.* objects independent of vhci_hcd.0

On 03/06/2018 01:35 AM, Salvador Fandiño wrote: > > > On 03/06/2018 01:03 AM, Shuah Khan wrote: >> On 03/05/2018 02:00 AM, Salvador Fandiño wrote: >>> On 02/21/2018 01:35 AM, Shuah Khan wrote: >>>> Hi Salvador, >>>> >>>> On 01/

Re: [PATH 0/4] usbip: make vhci_hcd.* objects independent of vhci_hcd.0

On 03/05/2018 02:00 AM, Salvador Fandiño wrote: > On 02/21/2018 01:35 AM, Shuah Khan wrote: >> Hi Salvador, >> >> On 01/30/2018 01:36 AM, Salvador Fandino wrote: >>> Let me start by explaining the problem that have motivated me to write >>> this patche

Re: [PATCH] usbip: tools usbip_attach: Fix cryptic error messages

On 02/27/2018 03:45 PM, Krzysztof Opasiak wrote: > > > On 02/27/2018 11:23 PM, Shuah Khan wrote: >> Attach device error message is cryptic and useless. Fix it to be >> informative. >> >> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> >> --

[PATCH] usbip: tools usbip_network: Fix cryptic error messages

Kernel and tool version mismatch message is cryptic. Fix it to be informative. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- tools/usb/usbip/src/usbip_network.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/usb/usbip/src/usbip_network.c b/too

[PATCH] usbip: tools usbip_attach: Fix cryptic error messages

Attach device error message is cryptic and useless. Fix it to be informative. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- tools/usb/usbip/src/usbip_attach.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/usb/usbip/src/usbip_attach.c b/tools/usb/usb

[PATCH 3.16] staging: usbip stub_rx fix static checker warning on unnecessary checks

buffer_length > ((~0 >> 1))) => (s32min-s32max > s32max)' drivers/staging/usbip/stub_rx.c:501 stub_recv_cmd_submit() warn: always true condition '(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) => (s32min-s32max <= s32max)' Reported-by: Dan Carpenter <da

Re: [PATCH] usbip: vudc: fix null pointer dereference on udc->lock

k_irqsave(>lock, flags); > /* Don't export what we don't have */ > - if (!udc || !udc->driver || !udc->pullup) { > - dev_err(dev, "no device or gadget not bound"); > + if (!udc->driver || !udc->pullup) { > + dev_err(dev, &qu

Re: [PATH 0/4] usbip: make vhci_hcd.* objects independent of vhci_hcd.0

Hi Salvador, On 01/30/2018 01:36 AM, Salvador Fandino wrote: > Let me start by explaining the problem that have motivated me to write > this patches: > > I work on the QVD, a virtual desktop platform for Linux. This software > runs Linux desktops (i.e. XFCE, KDE) and their applications inside

[PATCH 3.18 4/9] usbip: Fix potential format overflow in userspace tools

now warns that these aren't checked with -Wformat-overflow, and with -Werror enabled in configure.ac, that makes these tools unbuildable. This patch fixes these problems by replacing sprintf() with snprintf() in one place and adding checks for the return value of snprintf(). Signed-off-by: Shuah

[PATCH 3.18 0/9] Backports for security and critical bug fixes

): usb: usbip: Fix possible deadlocks reported by lockdep Shuah Khan (8): usbip: fix stub_rx: get_pipe() to validate endpoint number usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input usbip: prevent vhci_hcd driver from leaking a socket pointer address usbip: Fix

[PATCH 3.18 1/9] usbip: fix stub_rx: get_pipe() to validate endpoint number

or instead of calling BUG(). Change caller stub_recv_cmd_submit() to handle the get_pipe() error return. Reported-by: Secunia Research <v...@secunia.com> Cc: stable <sta...@vger.kernel.org> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman

[PATCH 3.18 6/9] usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit

e, leaving device unusable by the client. The device is still attached and however client can't use it. The problem was fixed as part of larger change to add USB3 Super Speed support. This patch isolates the one line fix to clear the USB_PORT_STAT_POWER from the original patch. Signed-off-by: Shuah

[PATCH 3.18 7/9] usbip: prevent leaking socket pointer address in messages

Upstream commit 90120d15f4c3 ("usbip: prevent leaking socket pointer address in messages") usbip driver is leaking socket pointer address in messages. Remove the messages that aren't useful and print sockfd in the ones that are useful for debugging. Signed-off-by: Shuah

[PATCH 3.18 5/9] usb: usbip: Fix possible deadlocks reported by lockdep

g 109351 https://bugzilla.kernel.org/show_bug.cgi?id=109351 Signed-off-by: Andrew Goodbody <andrew.goodb...@cambrionix.com> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/usbip_event.c | 5 ++- dr

[PATCH 3.18 8/9] usbip: stub: stop printing kernel pointer addresses in messages

Upstream commit 248a22044366 ("usbip: stub: stop printing kernel pointer addresses in messages") Remove and/or change debug, info. and error messages to not print kernel pointer addresses. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Cc: stable <sta...@vger.kernel.org&g

[PATCH 3.18 2/9] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

bad input requesting for unbounded memory allocations. Validate early in get_pipe() and return failure. Reported-by: Secunia Research <v...@secunia.com> Cc: stable <sta...@vger.kernel.org> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman

[PATCH 3.18 3/9] usbip: prevent vhci_hcd driver from leaking a socket pointer address

laces socket pointer address with sockfd. Reported-by: Secunia Research <v...@secunia.com> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/usbip_common.h | 1 + drivers/usb/usbip/vhci_sysfs.c | 26 +++--- tools/usb/usbip/libsrc/vhci

[PATCH 3.18 9/9] usbip: vhci: stop printing kernel pointer addresses in messages

Upstream commit 8272d099d05f ("usbip: vhci: stop printing kernel pointer addresses in messages") Remove and/or change debug, info. and error messages to not print kernel pointer addresses. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Cc: stable <sta...@vger.kernel.org&g

[PATCH 4.4 v2 2/2] usbip: fix 3eee23c3ec14 tcp_socket address still in the status file

et pointer address is not used at the moment and it was made visible as a convenient way to find IP address from socket pointer address by looking up /proc/net/{tcp,tcp6}. As this opens a security hole, the fix replaces socket pointer address with sockfd. Reported-by: Eric Biggers <ebigge..

[PATCH 4.4 v2 1/2] usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit

e, leaving device unusable by the client. The device is still attached and however client can't use it. The problem was fixed as part of larger change to add USB3 Super Speed support. This patch isolates the one line fix to clear the USB_PORT_STAT_POWER from the original patch. Signed-off-by: Shuah

[PATCH 4.4 v2 0/2] Backports for fixes

in the first patch in this series masked this bug. With these two fixes, client can use the imported devices on 4.4 Eric Biggers also reported the tcp_socket address still in the status file while I am getting the patch ready. I added him to Reported-by. Shuah Khan (2): usbip: vhci_hcd: clear

Re: [PATH 0/4] usbip: make vhci_hcd.* objects independent of vhci_hcd.0

On 01/30/2018 01:36 AM, Salvador Fandino wrote: > Let me start by explaining the problem that have motivated me to write > this patches: > > I work on the QVD, a virtual desktop platform for Linux. This software > runs Linux desktops (i.e. XFCE, KDE) and their applications inside LXC >

Re: [PATCH 4.9] usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit

On 01/28/2018 05:14 AM, Greg KH wrote: > On Fri, Jan 26, 2018 at 11:54:35AM -0700, Shuah Khan wrote: >> Upstream commit 1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed >> support") > > Hm, I think you have the wrong commit id here. > > I don't see any

[PATCH] usbip: keep usbip_device sockfd state in sync with tcp_socket

Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket is reset to null, reset sockfd to -1 to keep it in sync. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Cc: sta...@vger.kernel.org --- drivers/usb/usbip/stub_dev.c | 3 +++ drivers/usb/usbip/vhci_hcd.c | 2 ++ 2

[PATCH 4.4] usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit

tatus file is fixed. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/vhci_hcd.c | 2 +- drivers/usb/usbip/vhci_sysfs.c | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index 00d6894554

[PATCH 4.9] usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit

e, leaving device unusable by the client. The device is still attached and however client can't use it. The problem was fixed as part of larger change to add USB3 Super Speed support. This patch backports just the change to clear the USB_PORT_STAT_POWER. Signed-off-by: Shuah Khan <shua...@os

[PATCH 4.4 0/4] Backport missing sccurity and deadlock fix

As I started backporting security fixes, I found a deadlock bug that was fixed in a later release. This patch series contains backports for all these problems. Andrew Goodbody (1): usb: usbip: Fix possible deadlocks reported by lockdep Shuah Khan (3): usbip: fix stub_rx: get_pipe

[PATCH 4.4 1/4] usb: usbip: Fix possible deadlocks reported by lockdep

g 109351 https://bugzilla.kernel.org/show_bug.cgi?id=109351 Signed-off-by: Andrew Goodbody <andrew.goodb...@cambrionix.com> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/usbip_event.c | 5 ++- dr

[PATCH 4.4 2/4] usbip: fix stub_rx: get_pipe() to validate endpoint number

or instead of calling BUG(). Change caller stub_recv_cmd_submit() to handle the get_pipe() error return. Reported-by: Secunia Research <v...@secunia.com> Cc: stable <sta...@vger.kernel.org> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman

[PATCH 4.4 4/4] usbip: prevent leaking socket pointer address in messages

Upstream commit 90120d15f4c3 ("usbip: prevent leaking socket pointer address in messages") usbip driver is leaking socket pointer address in messages. Remove the messages that aren't useful and print sockfd in the ones that are useful for debugging. Signed-off-by: Shuah

[PATCH 4.4 3/4] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

bad input requesting for unbounded memory allocations. Validate early in get_pipe() and return failure. Reported-by: Secunia Research <v...@secunia.com> Cc: stable <sta...@vger.kernel.org> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman

[PATCH 4.4] usbip: Fix implicit fallthrough warning

ing the compiler that this particular case statement is meant to fall through. Reviewed-by: Peter Senna Tschudin <peter.se...@gmail.com> Signed-off-by: Jonathan Dieter <jdie...@lesbg.com> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> Signed-off-by: Shuah Khan &l

[PATCH 4.4] usbip: Fix potential format overflow in userspace tools

now warns that these aren't checked with -Wformat-overflow, and with -Werror enabled in configure.ac, that makes these tools unbuildable. This patch fixes these problems by replacing sprintf() with snprintf() in one place and adding checks for the return value of snprintf(). Signed-off-by: Shuah

[PATCH 4.4] usbip: prevent vhci_hcd driver from leaking a socket pointer address

laces socket pointer address with sockfd. Reported-by: Secunia Research <v...@secunia.com> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/usbip_common.h | 1 + drivers/usb/usbip/vhci_sysfs.c | 25 +++-- tools/usb/usbip/libsrc/vhci

[PATCH 4.9] usbip: Fix potential format overflow in userspace tools

alue of snprintf(). Reviewed-by: Peter Senna Tschudin <peter.se...@gmail.com> Signed-off-by: Jonathan Dieter <jdie...@lesbg.com> Acked-by: Shuah Khan <shua...@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> Signed-off-by: Shuah Khan <shua...@o

[PATCH 4.9] usbip: Fix implicit fallthrough warning

ing the compiler that this particular case statement is meant to fall through. Reviewed-by: Peter Senna Tschudin <peter.se...@gmail.com> Signed-off-by: Jonathan Dieter <jdie...@lesbg.com> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> Signed-off-by: Shuah Khan &l

[PATCH 4.9] usbip: prevent vhci_hcd driver from leaking a socket pointer address

laces socket pointer address with sockfd. Reported-by: Secunia Research <v...@secunia.com> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/usbip_common.h | 1 + drivers/usb/usbip/vhci_sysfs.c | 25 +++-- tools/usb/usbip/libsrc/vhci

Re: [PATCH 3/6] USB: move many drivers to use DEVICE_ATTR_WO

anks to a script from Joe Perches, this was easily done. > > Reported-by: Joe Perches <j...@perches.com> > Cc: Peter Chen <peter.c...@nxp.com> > Cc: Felipe Balbi <ba...@kernel.org> > Cc: Johan Hovold <jo...@kernel.org> > Cc: Valentina Manea <valentina.mane..

[PATCH] usbip: vhci_hcd: update 'status' file header and format

Commit 2f2d0088eb93 ("usbip: prevent vhci_hcd driver from leaking a socket pointer address") in the /sys/devices/platform/vhci_hcd/status. Fix the header and field alignment to reflect the changes and make it easier to read. Signed-off-by: Shuah Khan <shua...@osg.samsung.com>

[PATCH 4.9] usbip: fix warning in vhci_hcd_probe/lockdep_init_map

com> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- Greg, Please apply this fix to 4.9 stable. I re-discovered the problem on 4.9.77-rc1 and re-tested the patch on it. thanks, -- Shuah drivers/usb/usbip/vhci_sysfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/

[PATCH] usbip: list: don't list devices attached to vhci_hcd

: sta...@vger.kernel.org Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- tools/usb/usbip/src/usbip_list.c | 9 + 1 file changed, 9 insertions(+) diff --git a/tools/usb/usbip/src/usbip_list.c b/tools/usb/usbip/src/usbip_list.c index f1b38e866dd7..d65a9f444174 100644 --- a/too

[PATCH] usbip: prevent bind loops on devices attached to vhci_hcd

with accesses via the attached busid result in errors and system hangs during shutdown. Fix it to check and bail out if the device is already attached to vhci_hcd. Cc: sta...@vger.kernel.org Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- tools/usb/usbip/src/usbip_bind.c | 9 ++

Re: [PATCH V2] USBIP: return correct port ENABLE status

On 12/18/2017 11:00 PM, pei.zh...@intel.com wrote: > From: Pei Zhang > > USB system will clear port's ENABLE feature for some USB devices when > vdev is already assigned port address. This cause getPortStatus reports > to system that this device is not enabled, client OS

Re: [PATCH][next] usbip: vhci: fix spelling mistake: "synchronuously" -> "synchronously"

n", > + "urb seq# %u was unlinked %ssynchronously\n", >seqnum, status == -ENOENT ? "" : "a"); > break; > case -EINPROGRESS: > Thanks Colin! Acked-by: Shuah Khan <shua

Re: [PATCH] USB: usbip: remove useless call in usbip_recv

do { > - msg_data_left(); > sock->sk->sk_allocation = GFP_NOIO; > > result = sock_recvmsg(sock, , MSG_WAITALL); > Thanks for the patch. Looks good to me. Acked-by: Shuah Khan <shua...@osg.samsung.com> Greg, please pick this patch up. thank

Re: [PATCH] tools: usb: usbip_device_driver: prefer 'unsigned int' to 'unsigned'

On 12/30/2017 09:11 AM, Elad Wexler wrote: > Fixup a coding style issue > > Signed-off-by: Elad Wexler <elad.wex...@gmail.com> Thanks for the patch. Looks good to me. Acked-by: Shuah Khan <shua...@osg.samsung.com> Greg, please pick this patch up. thanks, -- Shuah -

Re: [PATCH] tools: usb: usbip: fix fd leak in case of 'fread' failure

On 12/30/2017 09:01 AM, Elad Wexler wrote: > Fix possible resource leak: fd > > Signed-off-by: Elad Wexler <elad.wex...@gmail.com> Thanks for the patch. Looks good to me. Acked-by: Shuah Khan <shua...@osg.samsung.com> Greg, please pick this patch up. thanks, -- Shuah -

[PATCH] usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer

v_send_ret_submit() handles urb with a null transfer_buffer, when it replays a packet with potential malicious data that could contain a null buffer. Add a check for the condition when actual_length > 0 and transfer_buffer is null. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> ---

[PATCH] usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input

Harden CMD_SUBMIT path to handle malicious input that could trigger large memory allocations. Add checks to validate transfer_buffer_length and number_of_packets to protect against bad input requesting for unbounded memory allocations. Signed-off-by: Shuah Khan <shua...@osg.samsung.

[PATCH] usbip: remove kernel addresses from usb device and urb debug msgs

usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses. Remove kernel addresses from usb device and urb debug msgs and improve the message content. Instead of printing parent device and bus addresses, print parent device and bus names. Signed-off-by: Shuah Khan <s

[PATCH] usbip: vhci: stop printing kernel pointer addresses in messages

Remove and/or change debug, info. and error messages to not print kernel pointer addresses. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/vhci_hcd.c | 10 -- drivers/usb/usbip/vhci_rx.c | 23 +++ drivers/usb/usbip/vhci_tx.c | 3

[PATCH] usbip: stub: stop printing kernel pointer addresses in messages

Remove and/or change debug, info. and error messages to not print kernel pointer addresses. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/stub_main.c | 5 +++-- drivers/usb/usbip/stub_rx.c | 7 ++- drivers/usb/usbip/stub_tx.c | 6 +++--- 3 files chan

[PATCH] usbip: prevent leaking socket pointer address in messages

usbip driver is leaking socket pointer address in messages. Remove the messages that aren't useful and print sockfd in the ones that are useful for debugging. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/stub_dev.c | 3 +-- drivers/usb/usbip/usbip_common.

Re: [PATCH] usbip: fix usbip bind writing random string after command in match_busid

US_ID_SIZE + 4, "del %s", > + busid); > > rc = write_sysfs_attribute(match_busid_attr_path, command, > -sizeof(command)); > +cmd_size); > if (rc < 0) { > db

[PATCH] usbip: stub_rx: fix static checker warning on unnecessary checks

2max)' Reported-by: Dan Carpenter <dan.carpen...@oracle.com> Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/stub_rx.c | 11 +-- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c index

Re: [bug report] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

On 12/14/2017 01:16 PM, Dan Carpenter wrote: > On Thu, Dec 14, 2017 at 11:01:15AM -0700, Shuah Khan wrote: >> Hi Dan, >> >> On 12/14/2017 12:58 AM, Dan Carpenter wrote: >>> Hello Shuah Khan, >>> >>> The patch c6688ef9f297: "usbip: fix stub_rx:

Re: [PATCH] usbip: fix usbip bind writing random string after command in match_busid

On 12/14/2017 03:23 AM, Juan Zea wrote: >> Why not use the return value from snprintf() for length, instead of calling > strlen(command)? > > Yes, that makes sense. Something like this? Yes > > diff --git a/tools/usb/usbip/src/utils.c b/tools/usb/usbip/src/utils.c > index 2b3d6d2..3d7b42e

Re: [bug report] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

Hi Dan, On 12/14/2017 12:58 AM, Dan Carpenter wrote: > Hello Shuah Khan, > > The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path > to handle malicious input" from Dec 7, 2017, leads to the following > static checker warning: > > drivers/u

Re: [PATCH] usbip: fix usbip bind writing random string after command in match_busid

On 12/13/2017 04:07 AM, Juan Zea wrote: > usbip bind writes commands followed by random string when writing to > match_busid attribute in sysfs, caused by using full variable size > instead of string length. > > Signed-off-by: Juan Zea > --- > tools/usb/usbip/src/utils.c |

Re: [PATCH] USB: remove the URB_NO_FSBR flag

ting the flag here. This is followed by usb_submit_urb(). Probably there is no need to set URB_NO_FSBR in USBIP to begin with, considering usb_submit_urb() handled that before this patch. I think it is safe to make the change. Acked-by: Shuah Khan <shua...@osg.samsung.com> thanks, -- Shuah -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/4] USB over IP Secuurity fixes

On 12/08/2017 09:33 AM, Greg KH wrote: > On Fri, Dec 08, 2017 at 08:44:58AM -0700, Shuah Khan wrote: >> Hi Jakub, >> >> On 12/08/2017 08:14 AM, Secunia Research wrote: >>> Hi Shuah, >>> >>> Thanks a lot for the quick fixes. >> >>

Re: [PATCH 0/4] USB over IP Secuurity fixes

Hi Jakub, On 12/08/2017 08:14 AM, Secunia Research wrote: > Hi Shuah, > > Thanks a lot for the quick fixes. Thanks for finding them and doing all the leg work in pin pointing the issues. > > Please, use this email address: v...@secunia.com > > We have assigned the following CVEs to the

Re: [PATCH 0/4] USB over IP Secuurity fixes

On 12/07/2017 11:25 PM, Greg KH wrote: > On Thu, Dec 07, 2017 at 02:16:46PM -0700, Shuah Khan wrote: >> Jakub Jirasek from Secunia Research at Flexera reported security >> vulnerabilities in the USB over IP driver. This patch series all >> the 4 reported problems. > > N

[PATCH 1/4] usbip: fix stub_rx: get_pipe() to validate endpoint number

. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/stub_rx.c | 18 +++--- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c index 536e037f541f..4d61063c259d 100644 --- a/drivers/usb

[PATCH 0/4] USB over IP Secuurity fixes

Jakub Jirasek from Secunia Research at Flexera reported security vulnerabilities in the USB over IP driver. This patch series all the 4 reported problems. Jakub, could you please suggest an email address I can use for the Reported-by tag? Shuah Khan (4): usbip: fix stub_rx: get_pipe

[PATCH 2/4] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

-by: Shuah Khan <shua...@osg.samsung.com> --- drivers/usb/usbip/stub_rx.c | 35 +++ 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c index 4d61063c259d..493ac2928391 100644 --- a/drivers/usb

[PATCH 4/4] usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer

stub_send_ret_submit() handles urb with a potential null transfer_buffer, when it replays a packet with potential malicious data that could contain a null buffer. Add a check for the condition when actual_length > 0 and transfer_buffer is null. Signed-off-by: Shuah Khan <shua...@osg.samsu

[PATCH 3/4] usbip: prevent vhci_hcd driver from leaking a socket pointer address

s not used at the moment and it was made visible as a convenient way to find IP address from socket pointer address by looking up /proc/net/{tcp,tcp6}. As this opens a security hole, the fix replaces socket pointer address with sockfd. Signed-off-by: Shuah Khan <shua...@osg.samsung.com> --- d

  1   2   3   >