linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Johannes Berg <johannes@sipsolutions.net>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Oliver Neukum" <oneukum@suse.com>,
	"Enrico Mioso" <mrkiko.rs@gmail.com>,
	"Jan Engelhardt" <jengelh@inai.de>,
	linux-kernel@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	"Eric Dumazet" <edumazet@google.com>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"Paolo Abeni" <pabeni@redhat.com>,
	"Kalle Valo" <kvalo@kernel.org>,
	"Oleksij Rempel" <linux@rempel-privat.de>,
	"Maciej Żenczykowski" <maze@google.com>,
	"Neil Armstrong" <neil.armstrong@linaro.org>,
	"Mauro Carvalho Chehab" <mchehab@kernel.org>,
	"Andrzej Pietrasiewicz" <andrzejtp2010@gmail.com>,
	"Jacopo Mondi" <jacopo@jmondi.org>,
	"Łukasz Stelmach" <l.stelmach@samsung.com>,
	"Laurent Pinchart" <laurent.pinchart@ideasonboard.com>,
	linux-usb@vger.kernel.org, netdev@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	"Ilja Van Sprundel" <ivansprundel@ioactive.com>,
	"Joseph Tartaro" <joseph.tartaro@ioactive.com>
Subject: Re: [PATCH] USB: disable all RNDIS protocol drivers
Date: Thu, 13 Jul 2023 14:21:46 +0200	[thread overview]
Message-ID: <42f91f17602fea258fecb443ba81fa573bae1acb.camel@sipsolutions.net> (raw)
In-Reply-To: <2023071333-wildly-playroom-878b@gregkh>

On Thu, 2023-07-13 at 07:34 +0200, Greg Kroah-Hartman wrote:
> I wasn't trying to be glib here, sorry if it came across that way.  I'll
> blame the heat...

No worries.

> > All we said is that your statement of "RNDIS is fundamentally unfixable"
> > doesn't make a lot of sense. If this were the case, all USB drivers
> > would have to "trust the other side" as well, right?
> 
> No, well, yes.  See the zillion patches we have had to apply to the
> kernel over the years when someone decided that "usb devices are not to
> be trusted" that syzbot has helped find :)

Sure, I'm well aware of that. But that's also exactly my point - nowhere
has anyone previously suggested that the protocol for any of those
devices is fundamentally broken and the drivers should be removed. We've
fixed those things and moved on.

I can even understand the initial reaction of "oh hey this ancient thing
is probably not used any more, let's just remove it", but even that's a
different reasoning, along the lines of "this has bugs and nobody needs
it". Though that nobody uses it has in fact been proven wrong, which is
pretty much why we're have this discussion at all.

> It's not a DMA issue here, it's a "the protocol allows for buffer
> overflows and does not seem to be able to be verified to prevent this"
> from what I remember (it's been a year since I looked at this last,
> details are hazy.)

If you s/be able to be verified/be verified in the code/ I entirely
believe it, in fact I think it's quite likely given the age of the code
and all. It's just that not being _able_ to verify it seems questionable
to me (and you haven't given any reasons), given that it's USB and you
always have a full buffer in hand when processing it, at a time where
the device can no longer modify it (IOW no TOCTTOU issues either.)

(As an aside, I've wondered about TOCTTOU with PCI, given that IOMMUs
can and will do lazy unmap ... but that's a different discussion.)


> At the time, I didn't see a way that it could be
> fixed, hence this patch.

Yeah I mean, the code isn't great, even if it's not _that_ much, but all
the likely() and things in there don't make it easy to read, and the
buffer size handling seems not immediately clear to me. So I probably
couldn't fix it quickly either, though I haven't even seen the reports.
Maciej seems to think it's fixable, at least. And yeah, we'd want to
actually review/audit that, I suppose.


So if you'd have said something like

   Let's disable the RNDIS driver(s) because there are known exploits
   there, nobody really knows how to fix this, and we need a short-term
   solution until the issues are public and somebody steps up to fix and
   maintain it.

I'd have much less of a problem with that. That's not _great_, but at
least it's honest and realistic. That could give us some time and maybe
then we can get the bug reports public once it's no longer an immediate
threat for all kernels, and go about fixing it with more time, maybe
eventually backporting fixes and reverting the disablement etc.

I guess this is why secret bug reports suck so much :-)

Thanks,
johannes

  parent reply	other threads:[~2023-07-13 12:22 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-23 12:46 [PATCH] USB: disable all RNDIS protocol drivers Greg Kroah-Hartman
2022-11-23 14:20 ` Johannes Berg
2022-11-23 15:05   ` Greg Kroah-Hartman
2022-11-23 16:27     ` Johannes Berg
2023-01-10 22:47       ` James Hilliard
2022-11-23 15:21 ` Kalle Valo
2022-11-23 18:29 ` Jakub Kicinski
2022-11-23 20:27 ` Maciej Żenczykowski
2023-01-11 13:38 ` Jan Engelhardt
2023-01-11 14:56   ` Greg Kroah-Hartman
2023-07-03 21:11   ` Enrico Mioso
2023-07-04  6:47     ` Greg Kroah-Hartman
2023-07-12  9:22       ` Oliver Neukum
2023-07-12 13:00         ` Johannes Berg
2023-07-12 16:39           ` Greg Kroah-Hartman
2023-07-13  0:28             ` Johannes Berg
2023-07-13  5:34               ` Greg Kroah-Hartman
2023-07-13  8:33                 ` Oliver Neukum
2023-07-13  9:49                   ` Maciej Żenczykowski
2023-07-13 12:21                 ` Johannes Berg [this message]
2023-07-13  5:21       ` Mauro Carvalho Chehab
2022-11-23 15:40 Nicolas Cavallari
2022-11-23 15:55 ` Greg Kroah-Hartman
2022-11-24  0:58 ` Lars Melin
2022-11-29 22:48 ` Dan Williams

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42f91f17602fea258fecb443ba81fa573bae1acb.camel@sipsolutions.net \
    --to=johannes@sipsolutions.net \
    --cc=andrzejtp2010@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=ivansprundel@ioactive.com \
    --cc=jacopo@jmondi.org \
    --cc=jengelh@inai.de \
    --cc=joseph.tartaro@ioactive.com \
    --cc=kuba@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=l.stelmach@samsung.com \
    --cc=laurent.pinchart@ideasonboard.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linux@rempel-privat.de \
    --cc=maze@google.com \
    --cc=mchehab@kernel.org \
    --cc=mrkiko.rs@gmail.com \
    --cc=neil.armstrong@linaro.org \
    --cc=netdev@vger.kernel.org \
    --cc=oneukum@suse.com \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).