Re: USB Security in the Linux Kernel

Re: USB Security in the Linux Kernel

[Alan Stern]

On Mon, May 25, 2020 at 05:28:33AM +0000, Rick Mark wrote:
> Hey Alan
> 
> You and other previously rejected a patch I submitted 13 months ago 

Nobody rejected your patch.  We pointed out problems with it, and we 
asked you to take a second look and provide more information.  You never 
replied.

> but have later integrated the changes under your name while missing a 
> few key security holes (I am working on another supplemental patch as 
> we speak).

That's not right.  Your changes were never merged into the kernel, in 
any form.

> Can you reconcile this mailing list email with commits made after it 
> in your name?
> 
> https://patchwork.kernel.org/patch/10941901/
> 
> Commit  a03ff54460817c76105f81f3aa8ef655759ccc9a

What is there to reconcile?  Your patch and my commit touched different 
code and addressed different (although similar) problems.  More 
specifically, your patch made changes to these routines:

	find_next_descriptor()
	usb_parse_ssp_isoc_endpoint_companion()
	usb_parse_ss_endpoint_companion()
	usb_parse_endpoint()
	usb_parse_interface()

whereas my commit changed:

	usb_get_bos_descriptor().

Furthermore, the changes you made appeared to be unnecessary (you added 
checks for things that either had already been checked or were checked a 
few lines later), whereas my commit fixed an actual bug, as demonstrated 
by syzbot.

> I find it highly improbable you managed to write that patch the same 
> day as my submission,

Indeed, I did _not_ write that patch the same day as your submission.  
If you check the datestamps on these emails in the archive, you'll see 
that my patch was posted on May 13 2019 and yours was posted on May 14, 
the next day:

	https://marc.info/?l=linux-usb&m=155776767725342&w=2
	https://marc.info/?l=linux-usb&m=155780009303416&w=2

> and the subsequent patches are also based on my 
> original work.

What subsequent patches?

Alan Stern