oss-sec mailing list archives
Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2
From: Eric Biggers <ebiggers () kernel org>
Date: Wed, 21 Aug 2019 21:00:59 -0700
On Tue, Aug 20, 2019 at 08:20:34PM +0200, Andrey Konovalov wrote:
Hi! I've previously reported vulnerabilities in the Linux kernel USB drivers on this list [1] found with syzkaller [2]. The USB fuzzing project has been on hold for a while, but has been resumed earlier this year. Here's a new bunch of 15 CVEs. As an experiment this time I've requested CVEs for 2 bugs (CVE-2019-15290, CVE-2019-15291) that haven't yet been fixed (fixes for the other 13 bugs are in the upstream kernel). Both have been reported by syzbot over 4 months ago. I've made sure that these 2 bugs are reproducible with a crafted USB device and crash a Linux laptop (or rather crash the USB worker thread) with one of the distro kernels. There are many more still not fixed bugs shown here [3]. [1] https://www.openwall.com/lists/oss-security/2017/12/12/7 [2] https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md [3] https://syzkaller.appspot.com/upstream?manager=ci2-upstream-usb
Thanks for filing CVEs for these. FWIW, link [3] seems to be missing some of the USB bugs since it only includes bugs seen on the "ci2-upstream-usb" syzbot manager, when in fact USB bugs are also being reported from the "ci-upstream-kmsan-gce" manager. Based on my categorization of all open syzbot reports, as of today there are 80 USB-related ones, 52 of which have occurred in the last week. The 52 are listed at https://lore.kernel.org/linux-usb/20190822032841.GC6111@zzz.localdomain/T/#u These include use-after-frees, out of bounds reads/writes, using uninitialized memory, general protection faults, etc. More are reported each week, and syzbot has covered only a tiny percentage of Linux's USB driver code so far. - Eric
Current thread:
- Linux kernel: multiple vulnerabilities in the USB subsystem x2 Andrey Konovalov (Aug 20)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Eric Biggers (Aug 21)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 John Haxby (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Marcus Meissner (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 John Haxby (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Andrey Konovalov (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Greg KH (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Brad Spengler (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Greg KH (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Marcus Meissner (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Perry E. Metzger (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Jeremy Stanley (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 John Haxby (Aug 22)