Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Mar 2013 14:43:41 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow
	triggered by device

Hi,

I am wondering ... do we consider attacks with special attack taylored USB
devices as CVE worthy?

There is only some precedence in the CVE DB, but not much.

I stumbled over this fix from one of my colleagues where a specifically
made USB device reporting the "cdc-wdm" USB class could cause a kernel
heap overflow.

"Malicious attached devices" might fall into several categories:

1. Attaching the device causes the issue directly within the kernel / autoloaded
   module, without user interaction. (here the case)


2. Attaching the device causes the issue when userspace, dependend on
   e.g. desktop system, does initiate a seperate action (like an automount
   and then exploitation of something) (so not direct a kernel, but a
   kernel + GNOME/KDE interaction).


3. User needs to do something with the attached device (like click on 
   a file on a USB disk)


I would consider (1) and (2) CVE worthy at least, not so sure with (3).

Ciao, Marcus

commit c0f5ecee4e741667b2493c742b60b6218d40b3aa
Author: Oliver Neukum <oneukum@...e.de>
Date:   Tue Mar 12 14:52:42 2013 +0100

    USB: cdc-wdm: fix buffer overflow

    The buffer for responses must not overflow.
    If this would happen, set a flag, drop the data and return
    an error after user space has read all remaining data.

    Signed-off-by: Oliver Neukum <oliver@...kum.org>
    CC: stable@...nel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ