Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+fCnZfrU-AtNGCUGou4_8Xms3yDmytut+AqED7Jhygtvq17eQ@mail.gmail.com>
Date: Tue, 3 Dec 2019 18:00:22 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: multiple vulnerabilities in the USB subsystem x3

Hi!

More CVEs for bugs in Linux kernel USB drivers that can be triggered
by an external malicious USB device. Found with syzkaller [1]. This
time no obvious DoSs (see the discussions here [2, 3]): mostly UAFs,
some info-leaks. All of these bugs have been fixed upstream (but many
other syzbot USB bugs are still not fixed [4]).

[1] https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md

[2] https://www.openwall.com/lists/oss-security/2019/08/20/2

[3] https://www.openwall.com/lists/oss-security/2019/10/25/15

[4] https://syzkaller.appspot.com/upstream?manager=ci2-upstream-usb

### CVEs

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19523

In the Linux kernel before 5.3.7, there is a use-after-free bug that
can be caused by a malicious USB device in the
drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19524

In the Linux kernel before 5.3.12, there is a use-after-free bug that
can be caused by a malicious USB device in the
drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19525

In the Linux kernel before 5.3.6, there is a use-after-free bug that
can be caused by a malicious USB device in the
drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19526

In the Linux kernel before 5.3.9, there is a use-after-free bug that
can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c
driver, aka CID-6af3aa57a098.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19527

In the Linux kernel before 5.2.10, there is a use-after-free bug that
can be caused by a malicious USB device in the
drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19528

In the Linux kernel before 5.3.7, there is a use-after-free bug that
can be caused by a malicious USB device in the
drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19529

In the Linux kernel before 5.3.11, there is a use-after-free bug that
can be caused by a malicious USB device in the
drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19530

In the Linux kernel before 5.2.10, there is a use-after-free bug that
can be caused by a malicious USB device in the
drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19531

In the Linux kernel before 5.2.9, there is a use-after-free bug that
can be caused by a malicious USB device in the
drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19532

In the Linux kernel before 5.3.9, there are multiple out-of-bounds
write bugs that can be caused by a malicious USB device in the Linux
kernel HID drivers, aka CID-d9d4b1e46d95. This affects
drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,
drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,
drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,
drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,
drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c,
drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and
drivers/hid/hid-zpff.c.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19533

In the Linux kernel before 5.3.4, there is an info-leak bug that can
be caused by a malicious USB device in the
drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19534

In the Linux kernel before 5.3.11, there is an info-leak bug that can
be caused by a malicious USB device in the
drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka
CID-f7a1337f0d29.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19535

In the Linux kernel before 5.2.9, there is an info-leak bug that can
be caused by a malicious USB device in the
drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka
CID-30a8beeb3042.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19536

In the Linux kernel before 5.2.9, there is an info-leak bug that can
be caused by a malicious USB device in the
drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka
CID-ead16e53c2f0.

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19537

In the Linux kernel before 5.2.10, there is a race condition bug that
can be caused by a malicious USB device in the USB character device
driver layer, aka CID-303911cfc5b9. This affects
drivers/usb/core/file.c.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.