oss-sec mailing list archives
CVE request -- linux kernel: visor: crash on invalid USB device descriptors in treo_attach() in visor driver
From: Vladis Dronov <vdronov () redhat com>
Date: Sun, 28 Feb 2016 12:24:58 -0500 (EST)
Hello, If possible, we would like to obtain a CVE-ID for the following issue. Let me please, note, that this flaw is very similar to already existing CVE-2015-7566 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7566). This is the same type of a flaw, which just exists in the different function treo_attach() (instead of clie_5_attach()), so probably we can use the same CVE-2015-7566 for this. Description: A local kernel crash on invalid USB device requiring the visor driver was reported. The treo_attach() function of the [visor] driver, which is called during the driver initialization process, was dereferencing the bulk-in and interrupt-in urbs without first making sure they had been allocated by the core. Due to an incomplete sanity check, the visor driver tries to dereference null-pointers, which results in crash. References: Red Hat public Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1312670 An upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cb3232138e37129e88240a98a1d2aba2187ff57c Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE request -- linux kernel: visor: crash on invalid USB device descriptors in treo_attach() in visor driver Vladis Dronov (Feb 28)