Re: [PATCH] USB: disable all RNDIS protocol drivers - Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: "Oliver Neukum" <oneukum@suse.com>,
	"Enrico Mioso" <mrkiko.rs@gmail.com>,
	"Jan Engelhardt" <jengelh@inai.de>,
	linux-kernel@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	"Eric Dumazet" <edumazet@google.com>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"Paolo Abeni" <pabeni@redhat.com>,
	"Kalle Valo" <kvalo@kernel.org>,
	"Oleksij Rempel" <linux@rempel-privat.de>,
	"Maciej Żenczykowski" <maze@google.com>,
	"Neil Armstrong" <neil.armstrong@linaro.org>,
	"Mauro Carvalho Chehab" <mchehab@kernel.org>,
	"Andrzej Pietrasiewicz" <andrzejtp2010@gmail.com>,
	"Jacopo Mondi" <jacopo@jmondi.org>,
	"Łukasz Stelmach" <l.stelmach@samsung.com>,
	"Laurent Pinchart" <laurent.pinchart@ideasonboard.com>,
	linux-usb@vger.kernel.org, netdev@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	"Ilja Van Sprundel" <ivansprundel@ioactive.com>,
	"Joseph Tartaro" <joseph.tartaro@ioactive.com>
Subject: Re: [PATCH] USB: disable all RNDIS protocol drivers
Date: Thu, 13 Jul 2023 07:34:45 +0200	[thread overview]
Message-ID: <2023071333-wildly-playroom-878b@gregkh> (raw)
In-Reply-To: <2d26c0028590a80e7aa80487cbeffd5ca6e6a5ea.camel@sipsolutions.net>

On Thu, Jul 13, 2023 at 02:28:26AM +0200, Johannes Berg wrote:
> On Wed, 2023-07-12 at 18:39 +0200, Greg Kroah-Hartman wrote:
> > On Wed, Jul 12, 2023 at 03:00:55PM +0200, Johannes Berg wrote:
> > > On Wed, 2023-07-12 at 11:22 +0200, Oliver Neukum wrote:
> > > > 
> > > > On 04.07.23 08:47, Greg Kroah-Hartman wrote:
> > > > > On Mon, Jul 03, 2023 at 11:11:57PM +0200, Enrico Mioso wrote:
> > > > > > Hi all!!
> > > > > > 
> > > > > > I think the rndis_host USB driver might emit a warning in the dmesg, but disabling the driver wouldn't be a good idea.
> > > > > > The TP-Link MR6400 V1 LTE modem and also some ZTE modems integrated in routers do use this protocol.
> > > > > > 
> > > > > > We may also distinguish between these cases and devices you might plug in - as they pose different risk levels.
> > > > > 
> > > > > Again, you have to fully trust the other side of an RNDIS connection,
> > > > > any hints on how to have the kernel determine that?
> > > 
> > > > it is a network protocol. So this statement is kind of odd.
> > > > Are you saying that there are RNDIS messages that cannot be verified
> > > > for some reason, that still cannot be disclosed?
> > > 
> > > Agree, it's also just a USB device, so no special trickery with DMA,
> > > shared buffers, etc.
> > > 
> > > I mean, yeah, the RNDIS code is really old and almost certainly has a
> > > severe lack of input validation, but that still doesn't mean it's
> > > fundamentally impossible.
> > 
> > You all are going to make me have to write some exploits aren't you...
> 
> This is getting a bit childish. Nobody ever said that wasn't possible,
> in fact I did say exactly above that I'm sure since it's old and all it
> lacks input validation. So yeah, I full well believe that you can write
> exploits for it.

I wasn't trying to be glib here, sorry if it came across that way.  I'll
blame the heat...

> All we said is that your statement of "RNDIS is fundamentally unfixable"
> doesn't make a lot of sense. If this were the case, all USB drivers
> would have to "trust the other side" as well, right?

No, well, yes.  See the zillion patches we have had to apply to the
kernel over the years when someone decided that "usb devices are not to
be trusted" that syzbot has helped find :)

It's not a DMA issue here, it's a "the protocol allows for buffer
overflows and does not seem to be able to be verified to prevent this"
from what I remember (it's been a year since I looked at this last,
details are hazy.)  At the time, I didn't see a way that it could be
fixed, hence this patch.

But yes, details matter, again I'll refrain from submitting this change
until I have those details.

thanks,

greg k-h