Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Nov 2017 14:45:01 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: oss-security@...ts.openwall.com
Cc: Dmitry Vyukov <dvyukov@...gle.com>, Kostya Serebryany <kcc@...gle.com>
Subject: Linux kernel: multiple vulnerabilities in the USB subsystem

Hi!

Below are the details for 14 vulnerabilities found with syzkaller in
the Linux kernel USB subsystem. All of them can be triggered with a
crafted malicious USB device in case an attacker has physical access
to the machine.

There's quite a lot more similar bugs reported [1] but not yet fixed.

[1] https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md

### CVEs

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16525

The usb_serial_console_disconnect function in
drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows
local users to cause a denial of service (use-after-free and system
crash) or possibly have unspecified other impact via a crafted USB
device, related to disconnection and failed setup.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16526

drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local
users to cause a denial of service (general protection fault and
system crash) or possibly have unspecified other impact via a crafted
USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527

sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users
to cause a denial of service (snd_usb_mixer_interrupt use-after-free
and system crash) or possibly have unspecified other impact via a
crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16528

sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local
users to cause a denial of service (snd_rawmidi_dev_seq_free
use-after-free and system crash) or possibly have unspecified other
impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529

The snd_usb_create_streams function in sound/usb/card.c in the Linux
kernel before 4.13.6 allows local users to cause a denial of service
(out-of-bounds read and system crash) or possibly have unspecified
other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16530

The uas driver in the Linux kernel before 4.13.6 allows local users to
cause a denial of service (out-of-bounds read and system crash) or
possibly have unspecified other impact via a crafted USB device,
related to drivers/usb/storage/uas-detect.h and
drivers/usb/storage/uas.c.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531

drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows
local users to cause a denial of service (out-of-bounds read and
system crash) or possibly have unspecified other impact via a crafted
USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532

The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux
kernel through 4.13.11 allows local users to cause a denial of service
(NULL pointer dereference and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533

The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the
Linux kernel before 4.13.8 allows local users to cause a denial of
service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16534

The cdc_parse_cdc_header function in drivers/usb/core/message.c in the
Linux kernel before 4.13.6 allows local users to cause a denial of
service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16535

The usb_get_bos_descriptor function in drivers/usb/core/config.c in
the Linux kernel before 4.13.10 allows local users to cause a denial
of service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536

The cx231xx_usb_probe function in
drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (NULL pointer
dereference and system crash) or possibly have unspecified other
impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537

The imon_probe function in drivers/media/rc/imon.c in the Linux kernel
through 4.13.11 allows local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have unspecified
other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16538

drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (general
protection fault and system crash) or possibly have unspecified other
impact via a crafted USB device, related to a missing warm-start check
and incorrect attach timing (dm04_lme2510_frontend_attach versus
dm04_lme2510_tuner).

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ