| Message ID | 1531920951-23012-1-git-send-email-stefan.bader@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [Trusty,SRU] Fix for CVE-2017-16911 | expand |
On 18/07/18 14:35, Stefan Bader wrote: > From d9048d4e4a99354071874d7df13300275a0e2884 Mon Sep 17 00:00:00 2001 > From: Shuah Khan <shuahkh@osg.samsung.com> > Date: Thu, 7 Dec 2017 14:16:49 -0700 > Subject: [PATCH] usbip: prevent vhci_hcd driver from leaking a socket pointer > address > > When a client has a USB device attached over IP, the vhci_hcd driver is > locally leaking a socket pointer address via the > > /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug > output when "usbip --debug port" is run. > > Fix it to not leak. The socket pointer address is not used at the moment > and it was made visible as a convenient way to find IP address from socket > pointer address by looking up /proc/net/{tcp,tcp6}. > > As this opens a security hole, the fix replaces socket pointer address with > sockfd. > > Reported-by: Secunia Research <vuln@secunia.com> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > CVE-2017-16911 > > (backported from commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5) > [smb: driver still in staging, adapted to different output format] > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > > The driver is in staging still and also used a different output format. > I believe this should cover the original approach and is compile tested > on x86_64. > > -Stefan > > drivers/staging/usbip/usbip_common.h | 1 + > .../staging/usbip/userspace/libsrc/vhci_driver.c | 8 ++++---- > drivers/staging/usbip/vhci_sysfs.c | 22 ++++++++++++++-------- > 3 files changed, 19 insertions(+), 12 deletions(-) > > diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h > index 7e6c543..3eb8038 100644 > --- a/drivers/staging/usbip/usbip_common.h > +++ b/drivers/staging/usbip/usbip_common.h > @@ -276,6 +276,7 @@ struct usbip_device { > /* lock for status */ > spinlock_t lock; > > + int sockfd; > struct socket *tcp_socket; > > struct task_struct *tcp_rx; > diff --git a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > index 1091bb2..f86d3c8 100644 > --- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > +++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > @@ -69,12 +69,12 @@ static int parse_status(char *value) > > while (*c != '\0') { > int port, status, speed, devid; > - unsigned long socket; > + int sockfd; > char lbusid[SYSFS_BUS_ID_SIZE]; > > - ret = sscanf(c, "%d %d %d %x %lx %s\n", > + ret = sscanf(c, "%d %d %d %x %u %s\n", > &port, &status, &speed, > - &devid, &socket, lbusid); > + &devid, &sockfd, lbusid); > > if (ret < 5) { > dbg("sscanf failed: %d", ret); > @@ -83,7 +83,7 @@ static int parse_status(char *value) > > dbg("port %d status %d speed %d devid %x", > port, status, speed, devid); > - dbg("socket %lx lbusid %s", socket, lbusid); > + dbg("sockfd %u lbusid %s", sockfd, lbusid); > > > /* if a device is connected, look at it */ > diff --git a/drivers/staging/usbip/vhci_sysfs.c b/drivers/staging/usbip/vhci_sysfs.c > index 9b51586..db057c3 100644 > --- a/drivers/staging/usbip/vhci_sysfs.c > +++ b/drivers/staging/usbip/vhci_sysfs.c > @@ -39,15 +39,20 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, > > /* > * output example: > - * prt sta spd dev socket local_busid > - * 000 004 000 000 c5a7bb80 1-2.3 > - * 001 004 000 000 d8cee980 2-3.4 > + * prt sta spd dev sockfd local_busid > + * 000 004 000 000 3 1-2.3 > + * 001 004 000 000 4 2-3.4 > + * > + * Output includes socket fd instead of socket pointer address to avoid > + * leaking kernel memory address in: > + * /sys/devices/platform/vhci_hcd.0/status and in debug output. > + * The socket pointer address is not used at the moment and it was made > + * visible as a convenient way to find IP address from socket pointer > + * address by looking up /proc/net/{tcp,tcp6}. As this opens a security > + * hole, the change is made to use sockfd instead. > * > - * IP address can be retrieved from a socket pointer address by looking > - * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a > - * port number and its peer IP address. > */ > - out += sprintf(out, "prt sta spd bus dev socket " > + out += sprintf(out, "prt sta spd bus dev sockfd " > "local_busid\n"); > > for (i = 0; i < VHCI_NPORTS; i++) { > @@ -59,7 +64,7 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, > if (vdev->ud.status == VDEV_ST_USED) { > out += sprintf(out, "%03u %08x ", > vdev->speed, vdev->devid); > - out += sprintf(out, "%16p ", vdev->ud.tcp_socket); > + out += sprintf(out, "%9u ", vdev->ud.sockfd); > out += sprintf(out, "%s", dev_name(&vdev->udev->dev)); > > } else { > @@ -219,6 +224,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, > > vdev->devid = devid; > vdev->speed = speed; > + vdev->ud.sockfd = sockfd; > vdev->ud.tcp_socket = socket; > vdev->ud.status = VDEV_ST_NOTASSIGNED; > > Looks good. Acked-by: Colin Ian King <colin.king@canonical.com>
On 07/18/18 15:35, Stefan Bader wrote: > From d9048d4e4a99354071874d7df13300275a0e2884 Mon Sep 17 00:00:00 2001 > From: Shuah Khan <shuahkh@osg.samsung.com> > Date: Thu, 7 Dec 2017 14:16:49 -0700 > Subject: [PATCH] usbip: prevent vhci_hcd driver from leaking a socket pointer > address > > When a client has a USB device attached over IP, the vhci_hcd driver is > locally leaking a socket pointer address via the > > /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug > output when "usbip --debug port" is run. > > Fix it to not leak. The socket pointer address is not used at the moment > and it was made visible as a convenient way to find IP address from socket > pointer address by looking up /proc/net/{tcp,tcp6}. > > As this opens a security hole, the fix replaces socket pointer address with > sockfd. > > Reported-by: Secunia Research <vuln@secunia.com> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > CVE-2017-16911 > > (backported from commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5) > [smb: driver still in staging, adapted to different output format] > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > > The driver is in staging still and also used a different output format. > I believe this should cover the original approach and is compile tested > on x86_64. > > -Stefan > > drivers/staging/usbip/usbip_common.h | 1 + > .../staging/usbip/userspace/libsrc/vhci_driver.c | 8 ++++---- > drivers/staging/usbip/vhci_sysfs.c | 22 ++++++++++++++-------- > 3 files changed, 19 insertions(+), 12 deletions(-) > > diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h > index 7e6c543..3eb8038 100644 > --- a/drivers/staging/usbip/usbip_common.h > +++ b/drivers/staging/usbip/usbip_common.h > @@ -276,6 +276,7 @@ struct usbip_device { > /* lock for status */ > spinlock_t lock; > > + int sockfd; > struct socket *tcp_socket; > > struct task_struct *tcp_rx; > diff --git a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > index 1091bb2..f86d3c8 100644 > --- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > +++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > @@ -69,12 +69,12 @@ static int parse_status(char *value) > > while (*c != '\0') { > int port, status, speed, devid; > - unsigned long socket; > + int sockfd; > char lbusid[SYSFS_BUS_ID_SIZE]; > > - ret = sscanf(c, "%d %d %d %x %lx %s\n", > + ret = sscanf(c, "%d %d %d %x %u %s\n", > &port, &status, &speed, > - &devid, &socket, lbusid); > + &devid, &sockfd, lbusid); > > if (ret < 5) { > dbg("sscanf failed: %d", ret); > @@ -83,7 +83,7 @@ static int parse_status(char *value) > > dbg("port %d status %d speed %d devid %x", > port, status, speed, devid); > - dbg("socket %lx lbusid %s", socket, lbusid); > + dbg("sockfd %u lbusid %s", sockfd, lbusid); > > > /* if a device is connected, look at it */ > diff --git a/drivers/staging/usbip/vhci_sysfs.c b/drivers/staging/usbip/vhci_sysfs.c > index 9b51586..db057c3 100644 > --- a/drivers/staging/usbip/vhci_sysfs.c > +++ b/drivers/staging/usbip/vhci_sysfs.c > @@ -39,15 +39,20 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, > > /* > * output example: > - * prt sta spd dev socket local_busid > - * 000 004 000 000 c5a7bb80 1-2.3 > - * 001 004 000 000 d8cee980 2-3.4 > + * prt sta spd dev sockfd local_busid > + * 000 004 000 000 3 1-2.3 > + * 001 004 000 000 4 2-3.4 > + * > + * Output includes socket fd instead of socket pointer address to avoid > + * leaking kernel memory address in: > + * /sys/devices/platform/vhci_hcd.0/status and in debug output. > + * The socket pointer address is not used at the moment and it was made > + * visible as a convenient way to find IP address from socket pointer > + * address by looking up /proc/net/{tcp,tcp6}. As this opens a security > + * hole, the change is made to use sockfd instead. > * > - * IP address can be retrieved from a socket pointer address by looking > - * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a > - * port number and its peer IP address. > */ > - out += sprintf(out, "prt sta spd bus dev socket " > + out += sprintf(out, "prt sta spd bus dev sockfd " > "local_busid\n"); > > for (i = 0; i < VHCI_NPORTS; i++) { > @@ -59,7 +64,7 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, > if (vdev->ud.status == VDEV_ST_USED) { > out += sprintf(out, "%03u %08x ", > vdev->speed, vdev->devid); > - out += sprintf(out, "%16p ", vdev->ud.tcp_socket); > + out += sprintf(out, "%9u ", vdev->ud.sockfd); > out += sprintf(out, "%s", dev_name(&vdev->udev->dev)); > > } else { > @@ -219,6 +224,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, > > vdev->devid = devid; > vdev->speed = speed; > + vdev->ud.sockfd = sockfd; > vdev->ud.tcp_socket = socket; > vdev->ud.status = VDEV_ST_NOTASSIGNED; > > Looks good to me. One needs to be careful when applying the patch since the original subject of the patch is in the message body. Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Applied to Trusty master-next On 2018-07-18 15:35:51 , Stefan Bader wrote: > From d9048d4e4a99354071874d7df13300275a0e2884 Mon Sep 17 00:00:00 2001 > From: Shuah Khan <shuahkh@osg.samsung.com> > Date: Thu, 7 Dec 2017 14:16:49 -0700 > Subject: [PATCH] usbip: prevent vhci_hcd driver from leaking a socket pointer > address > > When a client has a USB device attached over IP, the vhci_hcd driver is > locally leaking a socket pointer address via the > > /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug > output when "usbip --debug port" is run. > > Fix it to not leak. The socket pointer address is not used at the moment > and it was made visible as a convenient way to find IP address from socket > pointer address by looking up /proc/net/{tcp,tcp6}. > > As this opens a security hole, the fix replaces socket pointer address with > sockfd. > > Reported-by: Secunia Research <vuln@secunia.com> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > CVE-2017-16911 > > (backported from commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5) > [smb: driver still in staging, adapted to different output format] > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > > The driver is in staging still and also used a different output format. > I believe this should cover the original approach and is compile tested > on x86_64. > > -Stefan > > drivers/staging/usbip/usbip_common.h | 1 + > .../staging/usbip/userspace/libsrc/vhci_driver.c | 8 ++++---- > drivers/staging/usbip/vhci_sysfs.c | 22 ++++++++++++++-------- > 3 files changed, 19 insertions(+), 12 deletions(-) > > diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h > index 7e6c543..3eb8038 100644 > --- a/drivers/staging/usbip/usbip_common.h > +++ b/drivers/staging/usbip/usbip_common.h > @@ -276,6 +276,7 @@ struct usbip_device { > /* lock for status */ > spinlock_t lock; > > + int sockfd; > struct socket *tcp_socket; > > struct task_struct *tcp_rx; > diff --git a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > index 1091bb2..f86d3c8 100644 > --- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > +++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c > @@ -69,12 +69,12 @@ static int parse_status(char *value) > > while (*c != '\0') { > int port, status, speed, devid; > - unsigned long socket; > + int sockfd; > char lbusid[SYSFS_BUS_ID_SIZE]; > > - ret = sscanf(c, "%d %d %d %x %lx %s\n", > + ret = sscanf(c, "%d %d %d %x %u %s\n", > &port, &status, &speed, > - &devid, &socket, lbusid); > + &devid, &sockfd, lbusid); > > if (ret < 5) { > dbg("sscanf failed: %d", ret); > @@ -83,7 +83,7 @@ static int parse_status(char *value) > > dbg("port %d status %d speed %d devid %x", > port, status, speed, devid); > - dbg("socket %lx lbusid %s", socket, lbusid); > + dbg("sockfd %u lbusid %s", sockfd, lbusid); > > > /* if a device is connected, look at it */ > diff --git a/drivers/staging/usbip/vhci_sysfs.c b/drivers/staging/usbip/vhci_sysfs.c > index 9b51586..db057c3 100644 > --- a/drivers/staging/usbip/vhci_sysfs.c > +++ b/drivers/staging/usbip/vhci_sysfs.c > @@ -39,15 +39,20 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, > > /* > * output example: > - * prt sta spd dev socket local_busid > - * 000 004 000 000 c5a7bb80 1-2.3 > - * 001 004 000 000 d8cee980 2-3.4 > + * prt sta spd dev sockfd local_busid > + * 000 004 000 000 3 1-2.3 > + * 001 004 000 000 4 2-3.4 > + * > + * Output includes socket fd instead of socket pointer address to avoid > + * leaking kernel memory address in: > + * /sys/devices/platform/vhci_hcd.0/status and in debug output. > + * The socket pointer address is not used at the moment and it was made > + * visible as a convenient way to find IP address from socket pointer > + * address by looking up /proc/net/{tcp,tcp6}. As this opens a security > + * hole, the change is made to use sockfd instead. > * > - * IP address can be retrieved from a socket pointer address by looking > - * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a > - * port number and its peer IP address. > */ > - out += sprintf(out, "prt sta spd bus dev socket " > + out += sprintf(out, "prt sta spd bus dev sockfd " > "local_busid\n"); > > for (i = 0; i < VHCI_NPORTS; i++) { > @@ -59,7 +64,7 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, > if (vdev->ud.status == VDEV_ST_USED) { > out += sprintf(out, "%03u %08x ", > vdev->speed, vdev->devid); > - out += sprintf(out, "%16p ", vdev->ud.tcp_socket); > + out += sprintf(out, "%9u ", vdev->ud.sockfd); > out += sprintf(out, "%s", dev_name(&vdev->udev->dev)); > > } else { > @@ -219,6 +224,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, > > vdev->devid = devid; > vdev->speed = speed; > + vdev->ud.sockfd = sockfd; > vdev->ud.tcp_socket = socket; > vdev->ud.status = VDEV_ST_NOTASSIGNED; > > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h index 7e6c543..3eb8038 100644 --- a/drivers/staging/usbip/usbip_common.h +++ b/drivers/staging/usbip/usbip_common.h @@ -276,6 +276,7 @@ struct usbip_device { /* lock for status */ spinlock_t lock; + int sockfd; struct socket *tcp_socket; struct task_struct *tcp_rx; diff --git a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c index 1091bb2..f86d3c8 100644 --- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c +++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c @@ -69,12 +69,12 @@ static int parse_status(char *value) while (*c != '\0') { int port, status, speed, devid; - unsigned long socket; + int sockfd; char lbusid[SYSFS_BUS_ID_SIZE]; - ret = sscanf(c, "%d %d %d %x %lx %s\n", + ret = sscanf(c, "%d %d %d %x %u %s\n", &port, &status, &speed, - &devid, &socket, lbusid); + &devid, &sockfd, lbusid); if (ret < 5) { dbg("sscanf failed: %d", ret); @@ -83,7 +83,7 @@ static int parse_status(char *value) dbg("port %d status %d speed %d devid %x", port, status, speed, devid); - dbg("socket %lx lbusid %s", socket, lbusid); + dbg("sockfd %u lbusid %s", sockfd, lbusid); /* if a device is connected, look at it */ diff --git a/drivers/staging/usbip/vhci_sysfs.c b/drivers/staging/usbip/vhci_sysfs.c index 9b51586..db057c3 100644 --- a/drivers/staging/usbip/vhci_sysfs.c +++ b/drivers/staging/usbip/vhci_sysfs.c @@ -39,15 +39,20 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, /* * output example: - * prt sta spd dev socket local_busid - * 000 004 000 000 c5a7bb80 1-2.3 - * 001 004 000 000 d8cee980 2-3.4 + * prt sta spd dev sockfd local_busid + * 000 004 000 000 3 1-2.3 + * 001 004 000 000 4 2-3.4 + * + * Output includes socket fd instead of socket pointer address to avoid + * leaking kernel memory address in: + * /sys/devices/platform/vhci_hcd.0/status and in debug output. + * The socket pointer address is not used at the moment and it was made + * visible as a convenient way to find IP address from socket pointer + * address by looking up /proc/net/{tcp,tcp6}. As this opens a security + * hole, the change is made to use sockfd instead. * - * IP address can be retrieved from a socket pointer address by looking - * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a - * port number and its peer IP address. */ - out += sprintf(out, "prt sta spd bus dev socket " + out += sprintf(out, "prt sta spd bus dev sockfd " "local_busid\n"); for (i = 0; i < VHCI_NPORTS; i++) { @@ -59,7 +64,7 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, if (vdev->ud.status == VDEV_ST_USED) { out += sprintf(out, "%03u %08x ", vdev->speed, vdev->devid); - out += sprintf(out, "%16p ", vdev->ud.tcp_socket); + out += sprintf(out, "%9u ", vdev->ud.sockfd); out += sprintf(out, "%s", dev_name(&vdev->udev->dev)); } else { @@ -219,6 +224,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, vdev->devid = devid; vdev->speed = speed; + vdev->ud.sockfd = sockfd; vdev->ud.tcp_socket = socket; vdev->ud.status = VDEV_ST_NOTASSIGNED;