Re: Linux kernel: multiple vulnerabilities in the USB subsystem

[Andrey Konovalov <andreyknvl () gmail com>]

On Wed, Nov 8, 2017 at 11:38 AM, Andrey Konovalov <andreyknvl () gmail com> wrote:
> On Mon, Nov 6, 2017 at 2:45 PM, Andrey Konovalov <andreyknvl () gmail com> wrote:
> > Hi!
> >
> > Below are the details for 14 vulnerabilities found with syzkaller in
> > the Linux kernel USB subsystem. All of them can be triggered with a
> > crafted malicious USB device in case an attacker has physical access
> > to the machine.
> >
> > There's quite a lot more similar bugs reported [1] but not yet fixed.
> >
> > [1] https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
> >
> > ### CVEs
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16525
> >
> > The usb_serial_console_disconnect function in
> > drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows
> > local users to cause a denial of service (use-after-free and system
> > crash) or possibly have unspecified other impact via a crafted USB
> > device, related to disconnection and failed setup.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16526
> >
> > drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local
> > users to cause a denial of service (general protection fault and
> > system crash) or possibly have unspecified other impact via a crafted
> > USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527
> >
> > sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users
> > to cause a denial of service (snd_usb_mixer_interrupt use-after-free
> > and system crash) or possibly have unspecified other impact via a
> > crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16528
> >
> > sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local
> > users to cause a denial of service (snd_rawmidi_dev_seq_free
> > use-after-free and system crash) or possibly have unspecified other
> > impact via a crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529
> >
> > The snd_usb_create_streams function in sound/usb/card.c in the Linux
> > kernel before 4.13.6 allows local users to cause a denial of service
> > (out-of-bounds read and system crash) or possibly have unspecified
> > other impact via a crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16530
> >
> > The uas driver in the Linux kernel before 4.13.6 allows local users to
> > cause a denial of service (out-of-bounds read and system crash) or
> > possibly have unspecified other impact via a crafted USB device,
> > related to drivers/usb/storage/uas-detect.h and
> > drivers/usb/storage/uas.c.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531
> >
> > drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows
> > local users to cause a denial of service (out-of-bounds read and
> > system crash) or possibly have unspecified other impact via a crafted
> > USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532
> >
> > The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux
> > kernel through 4.13.11 allows local users to cause a denial of service
> > (NULL pointer dereference and system crash) or possibly have
> > unspecified other impact via a crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533
> >
> > The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the
> > Linux kernel before 4.13.8 allows local users to cause a denial of
> > service (out-of-bounds read and system crash) or possibly have
> > unspecified other impact via a crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16534
> >
> > The cdc_parse_cdc_header function in drivers/usb/core/message.c in the
> > Linux kernel before 4.13.6 allows local users to cause a denial of
> > service (out-of-bounds read and system crash) or possibly have
> > unspecified other impact via a crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16535
> >
> > The usb_get_bos_descriptor function in drivers/usb/core/config.c in
> > the Linux kernel before 4.13.10 allows local users to cause a denial
> > of service (out-of-bounds read and system crash) or possibly have
> > unspecified other impact via a crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536
> >
> > The cx231xx_usb_probe function in
> > drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through
> > 4.13.11 allows local users to cause a denial of service (NULL pointer
> > dereference and system crash) or possibly have unspecified other
> > impact via a crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537
> >
> > The imon_probe function in drivers/media/rc/imon.c in the Linux kernel
> > through 4.13.11 allows local users to cause a denial of service (NULL
> > pointer dereference and system crash) or possibly have unspecified
> > other impact via a crafted USB device.
> >
> > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16538
> >
> > drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through
> > 4.13.11 allows local users to cause a denial of service (general
> > protection fault and system crash) or possibly have unspecified other
> > impact via a crafted USB device, related to a missing warm-start check
> > and incorrect attach timing (dm04_lme2510_frontend_attach versus
> > dm04_lme2510_tuner).
>
> Here's 8 more:
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16643
>
> The parse_hid_report_descriptor function in
> drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows
> local users to cause a denial of service (out-of-bounds read and
> system crash) or possibly have unspecified other impact via a crafted
> USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16644
>
> The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in
> the Linux kernel through 4.13.11 allows local users to cause a denial
> of service (improper error handling and system crash) or possibly have
> unspecified other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16645
>
> The ims_pcu_get_cdc_union_desc function in
> drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11
> allows local users to cause a denial of service
> (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or
> possibly have unspecified other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16646
>
> drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel
> through 4.13.11 allows local users to cause a denial of service (BUG
> and system crash) or possibly have unspecified other impact via a
> crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16647
>
> drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11
> allows local users to cause a denial of service (NULL pointer
> dereference and system crash) or possibly have unspecified other
> impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16648
>
> The dvb_frontend_free function in
> drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through
> 4.13.11 allows local users to cause a denial of service
> (use-after-free and system crash) or possibly have unspecified other
> impact via a crafted USB device. NOTE: the function was later renamed
> __dvb_frontend_free.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16649
>
> The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in
> the Linux kernel through 4.13.11 allows local users to cause a denial
> of service (divide-by-zero error and system crash) or possibly have
> unspecified other impact via a crafted USB device.
>
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16650
>
> The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux
> kernel through 4.13.11 allows local users to cause a denial of service
> (divide-by-zero error and system crash) or possibly have unspecified
> other impact via a crafted USB device.

Another one.

This one looks more interesting. It's a serious memory corruption, and
since it's in the USB core subsystem, it can't be mitigated by turning
off particular USB drivers.

A malicious USB device can potentially exploit this by controlling the
next heap object after the one where usb_host_config is allocated and
gaining an arbitrary decrement primitive, since kref_put() will be
called with an attacker controlled address.

### CVE

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558

The usb_destroy_configuration function in drivers/usb/core/config.c in
the USB core subsystem in the Linux kernel through 4.14.5 does not
consider the maximum number of configurations and interfaces before
attempting to release resources, which allows local users to cause a
denial of service (out-of-bounds access) or possibly have unspecified
other impact.