Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Jan 2012 18:01:46 -0500
From: Xi Wang <>
Subject: Malicious devices & vulnerabilties


In general driver code trusts hardware devices and often doesn't
validate the data they respond with.  But how about USB devices
that an attacker could plug into a victim's computer?  For example,
an attacker may craft a USB device with a long product name to cause
a buffer overflow (CVE-2011-0712).!/mwrlabs/status/44814759396249600

Here is another possible bug in the USB audio format parser I tried
to report upstream.

I am wondering where to draw the line.  Should such device drivers
be considered vulnerable or not?  Thanks.

- xi

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ