Re: Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257

[Greg KH <greg () kroah com>]

On Tue, Sep 22, 2015 at 08:17:06PM -0700, Greg KH wrote:
> On Tue, Sep 22, 2015 at 05:49:53PM -0700, Moein Ghasemzadeh wrote:
> > Hello,
> >
> > We have discovered a vulnerability in a linux kernel module and would
> > like to inform you so that required actions could be taken.
> >
> > Assigned CVE ID : CVE-2015-5257.
> >
> > Below is the description of the vulnerability.
> >
> > 1. Software name and vendor name:
> > USB WhiteHEAT serial driver by ConnecTech in the Linux kernel
> > v3.19.0-28, but likely to exist in all kernel versions.
> >
> > 2. Type of vulnerability or attack outcome:
> >
> > The vulnerability triggers a kernel NULL pointer dereference. It causes
> > the OS to freeze on many machines and requires a cold reboot, causing
> > denial of service.
> >
> > 3. A description of the affected code (e.g. the function name, the
> > vulnerable web page, link to the affected code, a bug entry, etc.):
> >
> > The flaw exists in the "whiteheat_attach" function in
> > drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the
> > Linux kernel.
> > (http://lxr.free-electrons.com/source/drivers/usb/serial/whiteheat.c?v=3.19)
> >
> >
> > In the driver, the “COMMAND_PORT” variable is hard coded and is set to
> > “4” (5th element). So, the driver assumes that the number of ports
> > always will be 5 and takes the port number 5 as the command port. But,
> > using a specially made USB device in which the number of ports was set
> > to a number less than 5 (e.g. 3) we were able to perform Denial of
> > Service on the system due to a kernel NULL pointer dereference. The
> > system froze and requires a reboot.
> >
> > You may find more information regarding the bug from the logs attached
> > to this email. Please let us know if you have any questions or concerns.
>
> FWIW, the USB serial subsystem maintainer was just told about this an
> hour or so ago, and is working on a patch for this, which should be
> merged into Linus's tree by the end of the week or so.

And here's a patch if distros care to pick it up earlier than "normal":
        https://lkml.kernel.org/r/<1443033702-29600-1-git-send-email-johan () kernel org>