Re: USB vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Greg,

Oops message attached.

Rosie Hall

On Thu Jul 28 2016 12:45:06 GMT-0400 (EDT), Greg KH wrote:
> On Thu, Jul 28, 2016 at 12:23:01PM -0400, roswest wrote:
>>
>> Alan,
>>
>> Hi, I am an engineer at Cisco Systems, and this summer we tasked some
>> interns with performing USB fuzzing. One of the interns, Jake Lamberson,
>> was able to cause a kernel panic when emulating an HID keyboard because
>> the OHCI driver fails to reserve bandwidth for the device.  Please see
>> the attachment for details.
>>
>> Thank you,
>> Rosie Hall
> 
>>
>> Headline:         Linux Kernel Panic Over USB with HID Keyboard wMaxPacketSize
>> Platforms:        Ubuntu
>> Versions:         Linux Kernel 4.4.0-22-generic
>> CVSS Score:       4.7
>> CVSS Vector:      AV:L/AC:M/Au:N/C:N/I:N/A:C
>> Filed Defects:    
>> Related Defects:  
>> CWE Tags:         
>> Cycle:            
>> Found by:         Jake Lamberson
>>
>>
>> Linux Kernel panics when using an OHCI controller if a USB device reports being 
>> a generic HID keyboard and reports a wMaxPacketSize of over 4095. The OHCI
>> controller driver fails to reserve bandwidth for the device, causing the 
>> keyboard handler to fail when attaching to the HID. Later, when the device is 
>> removed, the system crashes due to a null pointer dereference in a linked list 
>> of endpoint descriptors. The crash can be re-created using a Facedancer and UMAP 
>> software. Given an appropriately configured Facedancer and UMAP setup, the crash 
>> can be re-created with: 
>> sudo board=facedancer21 python3 umap.py -P /dev/serial_device_here -f 03:00:00:E:0046 -l LOG
>>
>> Note: OHCI is a USB 1.1 controller standard that can be included with devices
>> that support either USB 1.1 or 2.0 as their highest USB spec. USB 3.0 devices
>> all use xHCI, which implements USB 1.1, 2.0, and 3.0, making them immune to
>> this particular bug.
> 
> Do you happen to have a copy of the oops message from the crash to help
> let us know where we should be fixing this?  Odds are we should just be
> catching this in the USB core and not be relying on the host controller
> to get it right.
> 
> thanks,
> 
> greg k-h
>

Attachment: oops_info.tar.gz
Description: GNU Zip compressed data

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux