Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 23 Sep 2015 11:54:42 -0700
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: Vulnerability in WhiteHEAT Linux
 Driver-CVE-2015-5257

On Tue, Sep 22, 2015 at 08:17:06PM -0700, Greg KH wrote:
> On Tue, Sep 22, 2015 at 05:49:53PM -0700, Moein Ghasemzadeh wrote:
> > Hello,
> > 
> > We have discovered a vulnerability in a linux kernel module and would
> > like to inform you so that required actions could be taken.
> > 
> > Assigned CVE ID : CVE-2015-5257.
> > 
> > Below is the description of the vulnerability.
> > 
> > 1. Software name and vendor name:
> > USB WhiteHEAT serial driver by ConnecTech in the Linux kernel
> > v3.19.0-28, but likely to exist in all kernel versions.
> > 
> > 2. Type of vulnerability or attack outcome:
> > 
> > The vulnerability triggers a kernel NULL pointer dereference. It causes
> > the OS to freeze on many machines and requires a cold reboot, causing
> > denial of service.
> > 
> > 3. A description of the affected code (e.g. the function name, the
> > vulnerable web page, link to the affected code, a bug entry, etc.):
> > 
> > The flaw exists in the "whiteheat_attach" function in
> > drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the
> > Linux kernel.
> > (http://lxr.free-electrons.com/source/drivers/usb/serial/whiteheat.c?v=3.19)
> > 
> > 
> > In the driver, the “COMMAND_PORT” variable is hard coded and is set to
> > “4” (5th element). So, the driver assumes that the number of ports
> > always will be 5 and takes the port number 5 as the command port. But,
> > using a specially made USB device in which the number of ports was set
> > to a number less than 5 (e.g. 3) we were able to perform Denial of
> > Service on the system due to a kernel NULL pointer dereference. The
> > system froze and requires a reboot.
> > 
> > You may find more information regarding the bug from the logs attached
> > to this email. Please let us know if you have any questions or concerns.
> 
> FWIW, the USB serial subsystem maintainer was just told about this an
> hour or so ago, and is working on a patch for this, which should be
> merged into Linus's tree by the end of the week or so.

And here's a patch if distros care to pick it up earlier than "normal":
	https://lkml.kernel.org/r/<1443033702-29600-1-git-send-email-johan@...nel.org>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ