Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160818142216.GH2701@suse.de>
Date: Thu, 18 Aug 2016 16:22:16 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>,
	cve-assign@...re.org
Cc: security@...nel.org
Subject: CVE Request: Linux kernel crash of OHCI when plugging in malicious
 USB devices

Hi,

I think this does not have a CVE yet, please assign.

https://www.spinics.net/lists/linux-usb/msg144177.html

Headline:         Linux Kernel Panic Over USB with HID Keyboard wMaxPacketSize
Platforms:        Ubuntu
Versions:         Linux Kernel 4.4.0-22-generic
CVSS Score:       4.7
CVSS Vector:      AV:L/AC:M/Au:N/C:N/I:N/A:C
Filed Defects:    
Related Defects:  
CWE Tags:         
Cycle:            
Found by:         Jake Lamberson


Linux Kernel panics when using an OHCI controller if a USB device reports being 
a generic HID keyboard and reports a wMaxPacketSize of over 4095. The OHCI
controller driver fails to reserve bandwidth for the device, causing the 
keyboard handler to fail when attaching to the HID. Later, when the device is 
removed, the system crashes due to a null pointer dereference in a linked list 
of endpoint descriptors. The crash can be re-created using a Facedancer and UMAP 
software. Given an appropriately configured Facedancer and UMAP setup, the crash 
can be re-created with: 
sudo board=facedancer21 python3 umap.py -P /dev/serial_device_here -f 03:00:00:E:0046 -l LOG

Note: OHCI is a USB 1.1 controller standard that can be included with devices
that support either USB 1.1 or 2.0 as their highest USB spec. USB 3.0 devices
all use xHCI, which implements USB 1.1, 2.0, and 3.0, making them immune to
this particular bug.

-----------------

The proposed fixing patch is here:
https://www.spinics.net/lists/linux-usb/msg144269.html


It has not yet been committed to the USB tree or to Linus Tree as far as I see.

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.