oss-sec mailing list archives
CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device
From: Marcus Meissner <meissner () suse de>
Date: Thu, 14 Mar 2013 14:43:41 +0100
Hi, I am wondering ... do we consider attacks with special attack taylored USB devices as CVE worthy? There is only some precedence in the CVE DB, but not much. I stumbled over this fix from one of my colleagues where a specifically made USB device reporting the "cdc-wdm" USB class could cause a kernel heap overflow. "Malicious attached devices" might fall into several categories: 1. Attaching the device causes the issue directly within the kernel / autoloaded module, without user interaction. (here the case) 2. Attaching the device causes the issue when userspace, dependend on e.g. desktop system, does initiate a seperate action (like an automount and then exploitation of something) (so not direct a kernel, but a kernel + GNOME/KDE interaction). 3. User needs to do something with the attached device (like click on a file on a USB disk) I would consider (1) and (2) CVE worthy at least, not so sure with (3). Ciao, Marcus commit c0f5ecee4e741667b2493c742b60b6218d40b3aa Author: Oliver Neukum <oneukum () suse de> Date: Tue Mar 12 14:52:42 2013 +0100 USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum <oliver () neukum org> CC: stable () kernel org Signed-off-by: Greg Kroah-Hartman <gregkh () linuxfoundation org>
Current thread:
- CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Marcus Meissner (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Eugene Teo (Mar 14)
- RE: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Christey, Steven M. (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Kurt Seifried (Mar 14)
- RE: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Christey, Steven M. (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Petr Matousek (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Kurt Seifried (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Eugene Teo (Mar 14)