Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices

[Marcus Meissner <meissner () suse de>]

Hi,

This seems a bit sore topic, and Mitre does not want to chime in.

Perhaps we need to add more criteria to select CVE assignment.

- simple DOS (e.g. NULL ptr dereference) when plugging in: No CVE
- code execution (use after free, write overflows) when plugging in: Assign CVE


That said, this leaves malicious USB devices posing as regular keyboards 
for text injection unclassified ... 

Ciao, Marcus

On Thu, Aug 18, 2016 at 09:50:24PM +0200, Willy Tarreau wrote:
> On Thu, Aug 18, 2016 at 08:16:27PM +0200, Adam Maris wrote:
> > Attacker doesn't necessarily need to have physical access to USB port. He
> > can somehow
> > hand USB off to the victim that will with good intentions stick it to his
> > USB port, unexpectedly
> > causing kernel panic. Difference is that one probably wouldn't pour glue or
> > corrosive liquid
> > into his USB port believing that nothing bad will happen.
>
> Well, it happened to me when I was a kid, with a PS/2 port. I handed off
> a device to someone of trust to connect to the PS/2 port and parallel port.
> (PS/2 to pick the +5V). I wired it wrong and the motherboard died, as
> amazing as it seems and the person didn't find it fun as it was not his PC.
>
> So yes it can be done even without suspecting. It's easy to do whatever you
> want using a USB stick. You can use the 3W it provides to charge a 300V
> capacitor and discharge it on the D+/D- to test the clamping diodes
> robustness, etc...
>
> Thus I don't think either that something "only causing a panic" deserves
> a CVE. It needs to be fixed however, for sure!
>
> Regards,
> Willy

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 
53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>