RE: [PATCH 0/4] USB over IP Secuurity fixes

From: Secunia Research
Date: Fri Dec 08 2017 - 10:21:25 EST


Hi Shuah,

Thanks a lot for the quick fixes.

Please, use this email address: vuln@xxxxxxxxxxx

We have assigned the following CVEs to the issues:
CVE-2017-16911 usbip: prevent vhci_hcd driver from leaking a socket pointer
address
CVE-2017-16912 usbip: fix stub_rx: get_pipe() to validate endpoint number
CVE-2017-16913 usbip: fix stub_rx: harden CMD_SUBMIT path to handle
malicious input
CVE-2017-16914 usbip: fix stub_send_ret_submit() vulnerability to null
transfer_buffer

Please, let me know if we should proceed with a coordinated disclosure. I'm
not quite sure how many distros / downstreams actually use this
functionality.

Best Regards,
Jakub

-----Original Message-----
From: Shuah Khan [mailto:shuahkh@xxxxxxxxxxxxxxx]
Sent: Thursday, December 7, 2017 10:17 PM
To: shuah@xxxxxxxxxx; valentina.manea.m@xxxxxxxxx;
gregkh@xxxxxxxxxxxxxxxxxxx
Cc: Shuah Khan <shuahkh@xxxxxxxxxxxxxxx>; linux-usb@xxxxxxxxxxxxxxx;
linux-kernel@xxxxxxxxxxxxxxx; vuln@xxxxxxxxxxx
Subject: [PATCH 0/4] USB over IP Secuurity fixes

Jakub Jirasek from Secunia Research at Flexera reported security
vulnerabilities in the USB over IP driver. This patch series all the 4
reported problems.

Jakub, could you please suggest an email address I can use for the
Reported-by tag?

Shuah Khan (4):
usbip: fix stub_rx: get_pipe() to validate endpoint number
usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
usbip: prevent vhci_hcd driver from leaking a socket pointer address
usbip: fix stub_send_ret_submit() vulnerability to null
transfer_buffer

drivers/usb/usbip/stub_rx.c | 51
+++++++++++++++++++++++++++++-------
drivers/usb/usbip/stub_tx.c | 7 +++++
drivers/usb/usbip/usbip_common.h | 1 +
drivers/usb/usbip/vhci_sysfs.c | 25 +++++++++++-------
tools/usb/usbip/libsrc/vhci_driver.c | 8 +++---
5 files changed, 69 insertions(+), 23 deletions(-)

--
2.14.1