This is a note to let you know that I've just added the patch titled
usbip: fix 3eee23c3ec14 tcp_socket address still in the status file
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usbip-fix-3eee23c3ec14-tcp_socket-address-still-in-the-status-file.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From shuahkh@xxxxxxxxxxxxxxx Mon Feb 5 09:59:48 2018
From: Shuah Khan <shuahkh@xxxxxxxxxxxxxxx>
Date: Mon, 5 Feb 2018 10:45:56 -0700
Subject: usbip: fix 3eee23c3ec14 tcp_socket address still in the status file
To: valentina.manea.m@xxxxxxxxx, shuah@xxxxxxxxxx, gregkh@xxxxxxxxxxxxxxxxxxx
Cc: Shuah Khan <shuahkh@xxxxxxxxxxxxxxx>, ebiggers3@xxxxxxxxx, linux-usb@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx
Message-ID: <920dbeada86c864f5280c363188125481399d109.1517852038.git.shuahkh@xxxxxxxxxxxxxxx>
From: Shuah Khan <shuahkh@xxxxxxxxxxxxxxx>
Commit 3eee23c3ec14 ("usbip: prevent vhci_hcd driver from leaking a
socket pointer address") backported the following commit from mailine.
However, backport error caused the tcp_socket address to still leak.
commit 2f2d0088eb93 ("usbip: prevent vhci_hcd driver from leaking a
socket pointer address")
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the
/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.
Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from
socket pointer address by looking up /proc/net/{tcp,tcp6}.
As this opens a security hole, the fix replaces socket pointer address
with sockfd.
Reported-by: Eric Biggers <ebiggers3@xxxxxxxxx>
Signed-off-by: Shuah Khan <shuahkh@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/usbip/vhci_sysfs.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/usb/usbip/vhci_sysfs.c
+++ b/drivers/usb/usbip/vhci_sysfs.c
@@ -53,7 +53,7 @@ static ssize_t status_show(struct device
* a security hole, the change is made to use sockfd instead.
*/
out += sprintf(out,
- "prt sta spd bus dev sockfd local_busid\n");
+ "prt sta spd dev sockfd local_busid\n");
for (i = 0; i < VHCI_NPORTS; i++) {
struct vhci_device *vdev = port_to_vdev(i);
@@ -64,12 +64,11 @@ static ssize_t status_show(struct device
if (vdev->ud.status == VDEV_ST_USED) {
out += sprintf(out, "%03u %08x ",
vdev->speed, vdev->devid);
- out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
- out += sprintf(out, "%06u", vdev->ud.sockfd);
+ out += sprintf(out, "%06u ", vdev->ud.sockfd);
out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
} else
- out += sprintf(out, "000 000 000 000000 0-0");
+ out += sprintf(out, "000 00000000 000000 0-0");
out += sprintf(out, "\n");
spin_unlock(&vdev->ud.lock);
Patches currently in stable-queue which might be from shuahkh@xxxxxxxxxxxxxxx are
queue-4.4/usbip-vhci_hcd-clear-just-the-usb_port_stat_power-bit.patch
queue-4.4/usbip-fix-3eee23c3ec14-tcp_socket-address-still-in-the-status-file.patch