Re: [PATCH] usbip: vhci: validate ret_submit number_of_packets

Next message: Petr Mladek: "Re: [PATCH v5 3/6] initramfs: Sort headers alphabetically"
Previous message: Mark Brown: "linux-next: manual merge of the bpf-next tree with the bpf tree"
In reply to: hkbinbin: "[PATCH] usbip: vhci: validate ret_submit number_of_packets"
Next in thread: hkbinbin: "Re: [PATCH] usbip: vhci: validate ret_submit number_of_packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Wed Apr 01 2026 - 08:56:57 EST

On Wed, Apr 01, 2026 at 12:08:57PM +0000, hkbinbin wrote:
> vhci_recv_ret_submit() unpacks USBIP_RET_SUBMIT directly into the URB,
> including number_of_packets from the remote server. For isochronous
> URBs, iso_frame_desc[] was allocated using the original locally
> submitted number_of_packets.
>
> If a malicious or buggy USB/IP server returns a larger
> number_of_packets, usbip_recv_iso() will iterate past the end of
> urb->iso_frame_desc[] and write attacker-controlled ISO descriptors out
> of bounds. Later completion paths may also walk past iso_frame_desc[]
> if the poisoned number_of_packets is left in the URB after rejecting
> the response.
>
> Fix this by saving the original packet count before unpacking the PDU,
> rejecting larger values from the server, restoring the original count
> on error, and marking the connection as broken.
>
> Fixes: 1325f85fa49f ("staging: usbip: bugfix add number of packets for isochronous frames")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: hkbinbin <hkbinbinbin@xxxxxxxxx>

We need a "real name" here please.

Also, this really looks like the same patch sent here:
https://lore.kernel.org/r/20260329125437.517980-2-sebasjosue84@xxxxxxxxx

Is everyone forgetting to disclose that they are using AI tools to
generate these things?

thanks,

greg k-h