Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2

[Eric Biggers <ebiggers () kernel org>]

On Tue, Aug 20, 2019 at 08:20:34PM +0200, Andrey Konovalov wrote:
> Hi!
>
> I've previously reported vulnerabilities in the Linux kernel USB
> drivers on this list [1] found with syzkaller [2]. The USB fuzzing
> project has been on hold for a while, but has been resumed earlier
> this year. Here's a new bunch of 15 CVEs.
>
> As an experiment this time I've requested CVEs for 2 bugs
> (CVE-2019-15290, CVE-2019-15291) that haven't yet been fixed (fixes
> for the other 13 bugs are in the upstream kernel). Both have been
> reported by syzbot over 4 months ago. I've made sure that these 2 bugs
> are reproducible with a crafted USB device and crash a Linux laptop
> (or rather crash the USB worker thread) with one of the distro
> kernels.
>
> There are many more still not fixed bugs shown here [3].
>
> [1] https://www.openwall.com/lists/oss-security/2017/12/12/7
>
> [2] https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md
>
> [3] https://syzkaller.appspot.com/upstream?manager=ci2-upstream-usb

Thanks for filing CVEs for these.

FWIW, link [3] seems to be missing some of the USB bugs since it only includes
bugs seen on the "ci2-upstream-usb" syzbot manager, when in fact USB bugs are
also being reported from the "ci-upstream-kmsan-gce" manager.

Based on my categorization of all open syzbot reports, as of today there are 80
USB-related ones, 52 of which have occurred in the last week.  The 52 are listed
at https://lore.kernel.org/linux-usb/20190822032841.GC6111@zzz.localdomain/T/#u
These include use-after-frees, out of bounds reads/writes, using uninitialized
memory, general protection faults, etc.  More are reported each week, and syzbot
has covered only a tiny percentage of Linux's USB driver code so far.

- Eric