Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Nov 2017 11:38:39 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: oss-security@...ts.openwall.com
Cc: Dmitry Vyukov <dvyukov@...gle.com>, Kostya Serebryany <kcc@...gle.com>
Subject: Re: Linux kernel: multiple vulnerabilities in the USB subsystem

On Mon, Nov 6, 2017 at 2:45 PM, Andrey Konovalov <andreyknvl@...il.com> wrote:
> Hi!
>
> Below are the details for 14 vulnerabilities found with syzkaller in
> the Linux kernel USB subsystem. All of them can be triggered with a
> crafted malicious USB device in case an attacker has physical access
> to the machine.
>
> There's quite a lot more similar bugs reported [1] but not yet fixed.
>
> [1] https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
>
> ### CVEs
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16525
>
> The usb_serial_console_disconnect function in
> drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows
> local users to cause a denial of service (use-after-free and system
> crash) or possibly have unspecified other impact via a crafted USB
> device, related to disconnection and failed setup.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16526
>
> drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local
> users to cause a denial of service (general protection fault and
> system crash) or possibly have unspecified other impact via a crafted
> USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527
>
> sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users
> to cause a denial of service (snd_usb_mixer_interrupt use-after-free
> and system crash) or possibly have unspecified other impact via a
> crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16528
>
> sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local
> users to cause a denial of service (snd_rawmidi_dev_seq_free
> use-after-free and system crash) or possibly have unspecified other
> impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529
>
> The snd_usb_create_streams function in sound/usb/card.c in the Linux
> kernel before 4.13.6 allows local users to cause a denial of service
> (out-of-bounds read and system crash) or possibly have unspecified
> other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16530
>
> The uas driver in the Linux kernel before 4.13.6 allows local users to
> cause a denial of service (out-of-bounds read and system crash) or
> possibly have unspecified other impact via a crafted USB device,
> related to drivers/usb/storage/uas-detect.h and
> drivers/usb/storage/uas.c.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531
>
> drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows
> local users to cause a denial of service (out-of-bounds read and
> system crash) or possibly have unspecified other impact via a crafted
> USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532
>
> The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux
> kernel through 4.13.11 allows local users to cause a denial of service
> (NULL pointer dereference and system crash) or possibly have
> unspecified other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533
>
> The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the
> Linux kernel before 4.13.8 allows local users to cause a denial of
> service (out-of-bounds read and system crash) or possibly have
> unspecified other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16534
>
> The cdc_parse_cdc_header function in drivers/usb/core/message.c in the
> Linux kernel before 4.13.6 allows local users to cause a denial of
> service (out-of-bounds read and system crash) or possibly have
> unspecified other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16535
>
> The usb_get_bos_descriptor function in drivers/usb/core/config.c in
> the Linux kernel before 4.13.10 allows local users to cause a denial
> of service (out-of-bounds read and system crash) or possibly have
> unspecified other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536
>
> The cx231xx_usb_probe function in
> drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through
> 4.13.11 allows local users to cause a denial of service (NULL pointer
> dereference and system crash) or possibly have unspecified other
> impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537
>
> The imon_probe function in drivers/media/rc/imon.c in the Linux kernel
> through 4.13.11 allows local users to cause a denial of service (NULL
> pointer dereference and system crash) or possibly have unspecified
> other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16538
>
> drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through
> 4.13.11 allows local users to cause a denial of service (general
> protection fault and system crash) or possibly have unspecified other
> impact via a crafted USB device, related to a missing warm-start check
> and incorrect attach timing (dm04_lme2510_frontend_attach versus
> dm04_lme2510_tuner).

Here's 8 more:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16643

The parse_hid_report_descriptor function in
drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows
local users to cause a denial of service (out-of-bounds read and
system crash) or possibly have unspecified other impact via a crafted
USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16644

The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in
the Linux kernel through 4.13.11 allows local users to cause a denial
of service (improper error handling and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16645

The ims_pcu_get_cdc_union_desc function in
drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11
allows local users to cause a denial of service
(ims_pcu_parse_cdc_data out-of-bounds read and system crash) or
possibly have unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16646

drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel
through 4.13.11 allows local users to cause a denial of service (BUG
and system crash) or possibly have unspecified other impact via a
crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16647

drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11
allows local users to cause a denial of service (NULL pointer
dereference and system crash) or possibly have unspecified other
impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16648

The dvb_frontend_free function in
drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service
(use-after-free and system crash) or possibly have unspecified other
impact via a crafted USB device. NOTE: the function was later renamed
__dvb_frontend_free.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16649

The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in
the Linux kernel through 4.13.11 allows local users to cause a denial
of service (divide-by-zero error and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16650

The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux
kernel through 4.13.11 allows local users to cause a denial of service
(divide-by-zero error and system crash) or possibly have unspecified
other impact via a crafted USB device.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.