oss-sec mailing list archives
CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices
From: Marcus Meissner <meissner () suse de>
Date: Thu, 18 Aug 2016 16:22:16 +0200
Hi, I think this does not have a CVE yet, please assign. https://www.spinics.net/lists/linux-usb/msg144177.html Headline: Linux Kernel Panic Over USB with HID Keyboard wMaxPacketSize Platforms: Ubuntu Versions: Linux Kernel 4.4.0-22-generic CVSS Score: 4.7 CVSS Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C Filed Defects: Related Defects: CWE Tags: Cycle: Found by: Jake Lamberson Linux Kernel panics when using an OHCI controller if a USB device reports being a generic HID keyboard and reports a wMaxPacketSize of over 4095. The OHCI controller driver fails to reserve bandwidth for the device, causing the keyboard handler to fail when attaching to the HID. Later, when the device is removed, the system crashes due to a null pointer dereference in a linked list of endpoint descriptors. The crash can be re-created using a Facedancer and UMAP software. Given an appropriately configured Facedancer and UMAP setup, the crash can be re-created with: sudo board=facedancer21 python3 umap.py -P /dev/serial_device_here -f 03:00:00:E:0046 -l LOG Note: OHCI is a USB 1.1 controller standard that can be included with devices that support either USB 1.1 or 2.0 as their highest USB spec. USB 3.0 devices all use xHCI, which implements USB 1.1, 2.0, and 3.0, making them immune to this particular bug. ----------------- The proposed fixing patch is here: https://www.spinics.net/lists/linux-usb/msg144269.html It has not yet been committed to the USB tree or to Linus Tree as far as I see. Ciao, Marcus
Current thread:
- CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Ben Hutchings (Aug 18)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Adam Maris (Aug 18)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Willy Tarreau (Aug 18)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 22)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices cve-assign (Aug 22)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 22)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 18)