oss-sec mailing list archives
Linux kernel: multiple vulnerabilities in the USB subsystem x2
From: Andrey Konovalov <andreyknvl () gmail com>
Date: Tue, 20 Aug 2019 20:20:34 +0200
Hi! I've previously reported vulnerabilities in the Linux kernel USB drivers on this list [1] found with syzkaller [2]. The USB fuzzing project has been on hold for a while, but has been resumed earlier this year. Here's a new bunch of 15 CVEs. As an experiment this time I've requested CVEs for 2 bugs (CVE-2019-15290, CVE-2019-15291) that haven't yet been fixed (fixes for the other 13 bugs are in the upstream kernel). Both have been reported by syzbot over 4 months ago. I've made sure that these 2 bugs are reproducible with a crafted USB device and crash a Linux laptop (or rather crash the USB worker thread) with one of the distro kernels. There are many more still not fixed bugs shown here [3]. [1] https://www.openwall.com/lists/oss-security/2017/12/12/7 [2] https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md [3] https://syzkaller.appspot.com/upstream?manager=ci2-upstream-usb ### CVEs * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15290 An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the ath6kl_usb_alloc_urb_from_pipe function in the drivers/net/wireless/ath/ath6kl/usb.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15291 An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15211 An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15212 An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15213 An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15214 An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15215 An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15216 An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15217 An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15218 An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15219 An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15220 An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15221 An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15222 An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15223 An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
Current thread:
- Linux kernel: multiple vulnerabilities in the USB subsystem x2 Andrey Konovalov (Aug 20)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Eric Biggers (Aug 21)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 John Haxby (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Marcus Meissner (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 John Haxby (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Andrey Konovalov (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Greg KH (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Brad Spengler (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Greg KH (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Marcus Meissner (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Perry E. Metzger (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Jeremy Stanley (Aug 22)