CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device

[Marcus Meissner <meissner () suse de>]

Hi,

I am wondering ... do we consider attacks with special attack taylored USB
devices as CVE worthy?

There is only some precedence in the CVE DB, but not much.

I stumbled over this fix from one of my colleagues where a specifically
made USB device reporting the "cdc-wdm" USB class could cause a kernel
heap overflow.

"Malicious attached devices" might fall into several categories:

1. Attaching the device causes the issue directly within the kernel / autoloaded
   module, without user interaction. (here the case)


2. Attaching the device causes the issue when userspace, dependend on
   e.g. desktop system, does initiate a seperate action (like an automount
   and then exploitation of something) (so not direct a kernel, but a
   kernel + GNOME/KDE interaction).


3. User needs to do something with the attached device (like click on 
   a file on a USB disk)


I would consider (1) and (2) CVE worthy at least, not so sure with (3).

Ciao, Marcus

commit c0f5ecee4e741667b2493c742b60b6218d40b3aa
Author: Oliver Neukum <oneukum () suse de>
Date:   Tue Mar 12 14:52:42 2013 +0100

    USB: cdc-wdm: fix buffer overflow

    The buffer for responses must not overflow.
    If this would happen, set a flag, drop the data and return
    an error after user space has read all remaining data.

    Signed-off-by: Oliver Neukum <oliver () neukum org>
    CC: stable () kernel org
    Signed-off-by: Greg Kroah-Hartman <gregkh () linuxfoundation org>