|
Message-ID: <CA+fCnZfrU-AtNGCUGou4_8Xms3yDmytut+AqED7Jhygtvq17eQ@mail.gmail.com> Date: Tue, 3 Dec 2019 18:00:22 +0100 From: Andrey Konovalov <andreyknvl@...il.com> To: oss-security@...ts.openwall.com Subject: Linux kernel: multiple vulnerabilities in the USB subsystem x3 Hi! More CVEs for bugs in Linux kernel USB drivers that can be triggered by an external malicious USB device. Found with syzkaller [1]. This time no obvious DoSs (see the discussions here [2, 3]): mostly UAFs, some info-leaks. All of these bugs have been fixed upstream (but many other syzbot USB bugs are still not fixed [4]). [1] https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md [2] https://www.openwall.com/lists/oss-security/2019/08/20/2 [3] https://www.openwall.com/lists/oss-security/2019/10/25/15 [4] https://syzkaller.appspot.com/upstream?manager=ci2-upstream-usb ### CVEs * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19523 In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19524 In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19525 In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19526 In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19527 In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19528 In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19529 In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19530 In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19531 In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19532 In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19533 In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19534 In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19535 In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19536 In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19537 In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.