oss-sec mailing list archives

CVE request -- linux kernel: visor: crash on invalid USB device descriptors in treo_attach() in visor driver

From: Vladis Dronov <vdronov () redhat com>
Date: Sun, 28 Feb 2016 12:24:58 -0500 (EST)

Hello,

If possible, we would like to obtain a CVE-ID for the following issue.

Let me please, note, that this flaw is very similar to already existing
CVE-2015-7566 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7566).
This is the same type of a flaw, which just exists in the different function
treo_attach() (instead of clie_5_attach()), so probably we can use the same
CVE-2015-7566 for this.

Description:

A local kernel crash on invalid USB device requiring the visor driver was reported.
The treo_attach() function of the [visor] driver, which is called during the driver
initialization process, was dereferencing the bulk-in and interrupt-in urbs without
first making sure they had been allocated by the core. Due to an incomplete sanity
check, the visor driver tries to dereference null-pointers, which results in crash. 

References:

Red Hat public Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1312670

An upstream patch: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cb3232138e37129e88240a98a1d2aba2187ff57c

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Current thread:

CVE request -- linux kernel: visor: crash on invalid USB device descriptors in treo_attach() in visor driver Vladis Dronov (Feb 28)
- Re: CVE request -- linux kernel: visor: crash on invalid USB device descriptors in treo_attach() in visor driver cve-assign (Feb 28)
  - Re: Re: CVE request -- linux kernel: visor: crash on invalid USB device descriptors in treo_attach() in visor driver Vladis Dronov (Feb 28)