Re: UAF write in usb_audio_probe

[Marcus Meissner <meissner () suse de>]

Hi

Mitre assigned CVE-2018-19824.
On Mon, Dec 03, 2018 at 05:45:30PM +0100, Mathias Payer wrote:
> Hi there,
>
> We reported a security bug to security () kernel org we discovered in the Linux
> kernel when fuzzing the hardware/software interface, targeting malicious USB
> peripherals. We have developed a fuzzing infrastructure that emulates malicious
> USB peripherals, allowing a fuzzer to feed test input into a virtualized kernel.
> We have tested 8 different recent kernel versions and have found new 37 bugs (so
> far). A first glimpse at all discovered vulnerabilities shows that they contain
> a set of arbitrary reads and arbitrary writes.
>
> The attacker needs local access to plug in a malicious USB device that replays
> the trace (e.g., through FaceDancer) to get read/write primitives in the kernel.
> For, e.g., Android or locked Desktops this becomes security critical. This turns
> these bugs into local "pop the box" opportunities, e.g., to disable screen locks
> or gain root.
>
> We can provide input USB seeds/traces for all discovered bugs/vulnerabilities
> and will report the other bugs as we triage them. Note that we submitted the
> paper that presents the technique to the Dec 01 IEEE Security and Privacy deadline.
>
> So far, we have submitted one bug (and patch) to alsa-devel () alsa-project org
> (after discussing both with the security () kernel org list). This bug is likely
> exploitable, allowing a local user (not logged in) to gain a write primitive in
> the kernel by simply plugging in a malicious USB device.
> The patch is at:
> https://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git/commit/?id=5f8cf712582617d523120df67d392059eaf2fc4b
>
> Thanks,
> Mathias Payer




-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 
53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>