Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device

[Petr Matousek <pmatouse () redhat com>]

Hi Marcus,

On Thu, Mar 14, 2013 at 02:43:41PM +0100, Marcus Meissner wrote:
> I am wondering ... do we consider attacks with special attack taylored USB
> devices as CVE worthy?
>
> There is only some precedence in the CVE DB, but not much.
>
> I stumbled over this fix from one of my colleagues where a specifically
> made USB device reporting the "cdc-wdm" USB class could cause a kernel
> heap overflow.
>
> "Malicious attached devices" might fall into several categories:
>
> 1. Attaching the device causes the issue directly within the kernel / autoloaded
>    module, without user interaction. (here the case)
>
>
> 2. Attaching the device causes the issue when userspace, dependend on
>    e.g. desktop system, does initiate a seperate action (like an automount
>    and then exploitation of something) (so not direct a kernel, but a
>    kernel + GNOME/KDE interaction).
>
>
> 3. User needs to do something with the attached device (like click on 
>    a file on a USB disk)
>
> I would consider (1) and (2) CVE worthy at least, not so sure with (3).

FWIW, I think all of the three options are CVE worthy. As Eugene said,
some filesystem bugs fall into (3) and they have been issued CVE
indentifiers.

-- 
Petr Matousek / Red Hat Security Response Team