oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: CVE Request: Linux: usbnet: memory corruption triggered by invalid USB descriptor

From: Andrey Konovalov <andreyknvl () gmail com>
Date: Wed, 6 Apr 2016 18:38:42 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


There's a flaw in the usbnet Linux kernel driver:


usbnet_link_change will call schedule_work and should be
avoided if bind is failing. Otherwise we will end up with
scheduled work referring to a netdev which has gone away.

Instead of making the call conditional, we can just defer
it to usbnet_probe, using the driver_info flag made for
this purpose.


The bug allows physically proximate attackers to cause a denial of
service (NULL pointer dereference and system crash) or possibly have
other impact by inserting a USB device with an invalid USB descriptor.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4d06dd537f95683aba3651098ae288b7cbff8274
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1666984c8625b3db19a9abc298931d35ab7bc64b
https://www.spinics.net/lists/netdev/msg367669.html


Use CVE-2016-3951.

- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXA955AAoJEL54rhJi8gl5NY0QAJ3rDGZ9FqmcCB7Defx4MvY1
nCDzmvcCv2hZdrkoYcHmk0G7O+5D2er6ds4lmuCe5LlByR8gjN+9omHTvCoaYEHh
kh4vfjireKsCrY/g9ZElSaUJITnHW2JL4/mv/EX4FjDWkTukAvN4r4Ld6q1827ZF
OU56NJL7QlNOG4Z/dTsJNbSp61hOSIIjOx/gr8L7Cj7PY23649hn5OBufSa22RWH
7vJDe9Yu9zWFCFpce2QlF6xJAT1ojmQX43hlpYo/Olv9r8nw0oeHYXe67RV+GKDQ
T/Btx+fM2cNaYwSczAnMDh/uNyn2zep0OcL0fOWHRgCZUQ0KWpBWgDA2aEIM4h+G
6qyDguMatCgVniYQQ1TiBSf8aNiluK0ZzonOd9gX4IWFsJIRMpTxbS0tmEij7p5U
efeS50dUGC3huT7cEh8GbZBj8xVKmwM+st+bOGgrYZ6Z/1UqzUuE7M1zYheXTyOD
F+KVqa3C8r548/yHiTajhF90H92XFYZLb5W/hn/Id/mqiGQvBBR4BE59yWGrEG86
LG//lJw53nbFIqXIQq1qevNqXOQsE0sQj/Wkv9k2/ez3GClKUxPFyWgJazDN8g8k
/FR0Bdd/kqVjaJ4pr8eO/PP8SHq+I71Os0BuuhJE00hn9TMqkvWHV46DKoXnW5Ck
LVHmzK4rafNRvycxIF2t
=KiV2
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: