Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2

[Eddie Chapman <eddie () ehuk net>]

On 22/08/2019 18:57, Perry E. Metzger wrote:
> Android phones run Linux. People routinely plug those phones in to USB
> charging stations in airports, on airplanes, at booths in public
> places, etc.
>
> Perry

I would argue that this kind of behaviour is far too trusting and asking 
for trouble. Should we request a CVE for foolish user behaviour? Yes, 
USB was designed to make it easy be able to plug/unplug devices without 
having to open your device up, but it doesn't mean people should do 
stupid things with it. Ok there are different levels of risk, you can 
never be totally sure if any device is safe unless you open it up and 
start examining. If it is a dumb charger or you know the person who 
supplies you with a more sophisticated charging device (either a 
manufacturer you trust you bought it from or a friend you trust obtained 
the device from a trusted manufacturer) then the risk is lower, but not 
eliminated completely.

If I designed a box with PCIe slots on the outside of the case, would 
you go around plugging in random circuit boards into it if they were 
available at an airport and provided some useful function? I would not. 
Whatever interface it is I will only plug it in if I have some 
reasonable level of confidence about the device. Or maybe people have 
already started reviewing the kernel code looking for ways in which a 
malicious PCIe device could own the system.