From: Greg Kroah-Hartman Date: Mon, 5 Feb 2018 18:00:57 +0000 (-0800) Subject: 4.4-stable patches X-Git-Tag: v3.18.94~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6523a173955e8016fe1e6c1cb4dc9a34ba6036ca;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: usbip-fix-3eee23c3ec14-tcp_socket-address-still-in-the-status-file.patch usbip-vhci_hcd-clear-just-the-usb_port_stat_power-bit.patch --- diff --git a/queue-4.4/series b/queue-4.4/series index b8aa447d57f..757bbcb0df8 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -15,3 +15,5 @@ powerpc-powernv-check-device-tree-for-rfi-flush-settings.patch powerpc-64s-wire-up-cpu_show_meltdown.patch powerpc-64s-allow-control-of-rfi-flush-via-debugfs.patch asoc-pcm512x-add-missing-module_description-author-license.patch +usbip-vhci_hcd-clear-just-the-usb_port_stat_power-bit.patch +usbip-fix-3eee23c3ec14-tcp_socket-address-still-in-the-status-file.patch diff --git a/queue-4.4/usbip-fix-3eee23c3ec14-tcp_socket-address-still-in-the-status-file.patch b/queue-4.4/usbip-fix-3eee23c3ec14-tcp_socket-address-still-in-the-status-file.patch new file mode 100644 index 00000000000..422932729e5 --- /dev/null +++ b/queue-4.4/usbip-fix-3eee23c3ec14-tcp_socket-address-still-in-the-status-file.patch @@ -0,0 +1,63 @@ +From shuahkh@osg.samsung.com Mon Feb 5 09:59:48 2018 +From: Shuah Khan +Date: Mon, 5 Feb 2018 10:45:56 -0700 +Subject: usbip: fix 3eee23c3ec14 tcp_socket address still in the status file +To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org +Cc: Shuah Khan , ebiggers3@gmail.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org +Message-ID: <920dbeada86c864f5280c363188125481399d109.1517852038.git.shuahkh@osg.samsung.com> + +From: Shuah Khan + +Commit 3eee23c3ec14 ("usbip: prevent vhci_hcd driver from leaking a +socket pointer address") backported the following commit from mailine. +However, backport error caused the tcp_socket address to still leak. + +commit 2f2d0088eb93 ("usbip: prevent vhci_hcd driver from leaking a +socket pointer address") + +When a client has a USB device attached over IP, the vhci_hcd driver is +locally leaking a socket pointer address via the + +/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug +output when "usbip --debug port" is run. + +Fix it to not leak. The socket pointer address is not used at the moment +and it was made visible as a convenient way to find IP address from +socket pointer address by looking up /proc/net/{tcp,tcp6}. + +As this opens a security hole, the fix replaces socket pointer address +with sockfd. + +Reported-by: Eric Biggers +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vhci_sysfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/usb/usbip/vhci_sysfs.c ++++ b/drivers/usb/usbip/vhci_sysfs.c +@@ -53,7 +53,7 @@ static ssize_t status_show(struct device + * a security hole, the change is made to use sockfd instead. + */ + out += sprintf(out, +- "prt sta spd bus dev sockfd local_busid\n"); ++ "prt sta spd dev sockfd local_busid\n"); + + for (i = 0; i < VHCI_NPORTS; i++) { + struct vhci_device *vdev = port_to_vdev(i); +@@ -64,12 +64,11 @@ static ssize_t status_show(struct device + if (vdev->ud.status == VDEV_ST_USED) { + out += sprintf(out, "%03u %08x ", + vdev->speed, vdev->devid); +- out += sprintf(out, "%16p ", vdev->ud.tcp_socket); +- out += sprintf(out, "%06u", vdev->ud.sockfd); ++ out += sprintf(out, "%06u ", vdev->ud.sockfd); + out += sprintf(out, "%s", dev_name(&vdev->udev->dev)); + + } else +- out += sprintf(out, "000 000 000 000000 0-0"); ++ out += sprintf(out, "000 00000000 000000 0-0"); + + out += sprintf(out, "\n"); + spin_unlock(&vdev->ud.lock); diff --git a/queue-4.4/usbip-vhci_hcd-clear-just-the-usb_port_stat_power-bit.patch b/queue-4.4/usbip-vhci_hcd-clear-just-the-usb_port_stat_power-bit.patch new file mode 100644 index 00000000000..f08cf5247e2 --- /dev/null +++ b/queue-4.4/usbip-vhci_hcd-clear-just-the-usb_port_stat_power-bit.patch @@ -0,0 +1,42 @@ +From shuahkh@osg.samsung.com Mon Feb 5 09:59:31 2018 +From: Shuah Khan +Date: Mon, 5 Feb 2018 10:45:55 -0700 +Subject: usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit +To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org +Cc: Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org +Message-ID: <8a118955998e8b3d101b8105f786cee354256d41.1517852038.git.shuahkh@osg.samsung.com> + +From: Shuah Khan + +Upstream commit 1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed +support") + +vhci_hcd clears all the bits port_status bits instead of clearing +just the USB_PORT_STAT_POWER bit when it handles ClearPortFeature: +USB_PORT_FEAT_POWER. This causes vhci_hcd attach to fail in a bad +state, leaving device unusable by the client. The device is still +attached and however client can't use it. + +The problem was fixed as part of larger change to add USB3 Super Speed +support. + +This patch isolates the one line fix to clear the USB_PORT_STAT_POWER +from the original patch. + +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vhci_hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -285,7 +285,7 @@ static int vhci_hub_control(struct usb_h + case USB_PORT_FEAT_POWER: + usbip_dbg_vhci_rh( + " ClearPortFeature: USB_PORT_FEAT_POWER\n"); +- dum->port_status[rhport] = 0; ++ dum->port_status[rhport] &= ~USB_PORT_STAT_POWER; + dum->resuming = 0; + break; + case USB_PORT_FEAT_C_RESET: