oss-sec mailing list archives
Linux kernel: multiple vulnerabilities in the USB subsystem
From: Andrey Konovalov <andreyknvl () gmail com>
Date: Mon, 6 Nov 2017 14:45:01 +0100
Hi! Below are the details for 14 vulnerabilities found with syzkaller in the Linux kernel USB subsystem. All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine. There's quite a lot more similar bugs reported [1] but not yet fixed. [1] https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md ### CVEs * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16525 The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16526 drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527 sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16528 sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529 The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16530 The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531 drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532 The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533 The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16534 The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16535 The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536 The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537 The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16538 drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner).
Current thread:
- Linux kernel: multiple vulnerabilities in the USB subsystem Andrey Konovalov (Nov 06)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem Andrey Konovalov (Nov 08)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem Andrey Konovalov (Dec 12)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem Solar Designer (Nov 08)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem Andrey Konovalov (Nov 08)