Date: Wed, 23 Sep 2015 11:54:42 -0700 From: Greg KH <greg@...ah.com> To: oss-security@...ts.openwall.com Subject: Re: Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257 On Tue, Sep 22, 2015 at 08:17:06PM -0700, Greg KH wrote: > On Tue, Sep 22, 2015 at 05:49:53PM -0700, Moein Ghasemzadeh wrote: > > Hello, > > > > We have discovered a vulnerability in a linux kernel module and would > > like to inform you so that required actions could be taken. > > > > Assigned CVE ID : CVE-2015-5257. > > > > Below is the description of the vulnerability. > > > > 1. Software name and vendor name: > > USB WhiteHEAT serial driver by ConnecTech in the Linux kernel > > v3.19.0-28, but likely to exist in all kernel versions. > > > > 2. Type of vulnerability or attack outcome: > > > > The vulnerability triggers a kernel NULL pointer dereference. It causes > > the OS to freeze on many machines and requires a cold reboot, causing > > denial of service. > > > > 3. A description of the affected code (e.g. the function name, the > > vulnerable web page, link to the affected code, a bug entry, etc.): > > > > The flaw exists in the "whiteheat_attach" function in > > drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the > > Linux kernel. > > (http://lxr.free-electrons.com/source/drivers/usb/serial/whiteheat.c?v=3.19) > > > > > > In the driver, the “COMMAND_PORT” variable is hard coded and is set to > > “4” (5th element). So, the driver assumes that the number of ports > > always will be 5 and takes the port number 5 as the command port. But, > > using a specially made USB device in which the number of ports was set > > to a number less than 5 (e.g. 3) we were able to perform Denial of > > Service on the system due to a kernel NULL pointer dereference. The > > system froze and requires a reboot. > > > > You may find more information regarding the bug from the logs attached > > to this email. Please let us know if you have any questions or concerns. > > FWIW, the USB serial subsystem maintainer was just told about this an > hour or so ago, and is working on a patch for this, which should be > merged into Linus's tree by the end of the week or so. And here's a patch if distros care to pick it up earlier than "normal": https://lkml.kernel.org/r/<1443033702-29600-1-git-send-email-johan@...nel.org>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ