Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+fCnZfP83sn2biq-=5x23Kfgzv_0YFKKDNpntrH89TwLRCEjw@mail.gmail.com>
Date: Mon, 6 Nov 2017 14:45:01 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: oss-security@...ts.openwall.com
Cc: Dmitry Vyukov <dvyukov@...gle.com>, Kostya Serebryany <kcc@...gle.com>
Subject: Linux kernel: multiple vulnerabilities in the USB subsystem

Hi!

Below are the details for 14 vulnerabilities found with syzkaller in
the Linux kernel USB subsystem. All of them can be triggered with a
crafted malicious USB device in case an attacker has physical access
to the machine.

There's quite a lot more similar bugs reported [1] but not yet fixed.

[1] https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md

### CVEs

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16525

The usb_serial_console_disconnect function in
drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows
local users to cause a denial of service (use-after-free and system
crash) or possibly have unspecified other impact via a crafted USB
device, related to disconnection and failed setup.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16526

drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local
users to cause a denial of service (general protection fault and
system crash) or possibly have unspecified other impact via a crafted
USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527

sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users
to cause a denial of service (snd_usb_mixer_interrupt use-after-free
and system crash) or possibly have unspecified other impact via a
crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16528

sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local
users to cause a denial of service (snd_rawmidi_dev_seq_free
use-after-free and system crash) or possibly have unspecified other
impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529

The snd_usb_create_streams function in sound/usb/card.c in the Linux
kernel before 4.13.6 allows local users to cause a denial of service
(out-of-bounds read and system crash) or possibly have unspecified
other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16530

The uas driver in the Linux kernel before 4.13.6 allows local users to
cause a denial of service (out-of-bounds read and system crash) or
possibly have unspecified other impact via a crafted USB device,
related to drivers/usb/storage/uas-detect.h and
drivers/usb/storage/uas.c.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531

drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows
local users to cause a denial of service (out-of-bounds read and
system crash) or possibly have unspecified other impact via a crafted
USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532

The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux
kernel through 4.13.11 allows local users to cause a denial of service
(NULL pointer dereference and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533

The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the
Linux kernel before 4.13.8 allows local users to cause a denial of
service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16534

The cdc_parse_cdc_header function in drivers/usb/core/message.c in the
Linux kernel before 4.13.6 allows local users to cause a denial of
service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16535

The usb_get_bos_descriptor function in drivers/usb/core/config.c in
the Linux kernel before 4.13.10 allows local users to cause a denial
of service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536

The cx231xx_usb_probe function in
drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (NULL pointer
dereference and system crash) or possibly have unspecified other
impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537

The imon_probe function in drivers/media/rc/imon.c in the Linux kernel
through 4.13.11 allows local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have unspecified
other impact via a crafted USB device.

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16538

drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (general
protection fault and system crash) or possibly have unspecified other
impact via a crafted USB device, related to a missing warm-start check
and incorrect attach timing (dm04_lme2510_frontend_attach versus
dm04_lme2510_tuner).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.