Dmitry, Hi, I am an engineer at Cisco Systems, and this summer we tasked some interns with performing USB fuzzing. One of the interns, Anirudh Bagde, was able to crash the USB stack due to an error in the iforce module and discovered a buffer over-read in the usbtouchscreen module. Please see the attachment for details. Thank you, Rosie Hall
================================================================================
New Issues
================================================================================
Headline: Buffer over-read in usbtouchscreen module
Platforms: Ubuntu
Versions: 16.04 LTS (Kernel 4.4.0)
CVSS Score: 0.0
CVSS Vector: AV:L/AC:M/Au:N/C:N/I:N/A:N
Filed Defects:
Related Defects:
CWE Tags:
Cycle:
Found by: Anirudh Bagde
The usbtouchscreen module can be led to exceed the bounds of an array by
providing large numbers in a data packet. This happens in the nexio_read_data
function, which is called when a data packet is sent by a Nexio iNexio
touchscreen device. The data packet contains 16-bit integers representing the
length of an array within the data packet, and the function iterates through the
buffer using this array length without checking its bounds.
This buffer overflow does not have much impact, since the contents of the
buffer are only used by a few conditionals. The buffer is only read, not written
to, so the system generally should not crash. Additionally, no data from the
overflowing buffer is sent back to the device, so there is no data leakage
either.
--------------------------------------------------------------------------------
Headline: Crash USB stack with null pointer dereference in iforce module
Platforms: Ubuntu
Versions: 16.04 LTS (Kernel 4.4.0)
CVSS Score: 1.9
CVSS Vector: AV:L/AC:M/Au:N/C:N/I:N/A:P
Filed Defects:
Related Defects:
CWE Tags:
Cycle:
Found by: Anirudh Bagde
The iforce Linux kernel module assumes there are at least two endpoints in a USB
device that matches the driver's VID/PID. If the device has fewer than two
endpoints, this will cause a null pointer dereference in the module.
This bug will usually crash the entire system, though occasionally it crashes
only the USB stack, leaving the rest of the system functional. If it does crash
only the USB stack, newly connected devices will not be detected, and any user
programs that interact with the USB stack (such as lsusb) will hang permanently.
Attachment:
signature.asc
Description: OpenPGP digital signature
