Re: USB vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 28 Jul 2016, Alan Stern wrote:

> On Thu, 28 Jul 2016, Greg KH wrote:
> 
> > On Thu, Jul 28, 2016 at 12:23:01PM -0400, roswest wrote:
> > > 
> > > Alan,
> > > 
> > > Hi, I am an engineer at Cisco Systems, and this summer we tasked some
> > > interns with performing USB fuzzing. One of the interns, Jake Lamberson,
> > > was able to cause a kernel panic when emulating an HID keyboard because
> > > the OHCI driver fails to reserve bandwidth for the device.  Please see
> > > the attachment for details.
> > > 
> > > Thank you,
> > > Rosie Hall
> > 
> > > 
> > > Headline:         Linux Kernel Panic Over USB with HID Keyboard wMaxPacketSize
> > > Platforms:        Ubuntu
> > > Versions:         Linux Kernel 4.4.0-22-generic
> > > CVSS Score:       4.7
> > > CVSS Vector:      AV:L/AC:M/Au:N/C:N/I:N/A:C
> > > Filed Defects:    
> > > Related Defects:  
> > > CWE Tags:         
> > > Cycle:            
> > > Found by:         Jake Lamberson
> > > 
> > > 
> > > Linux Kernel panics when using an OHCI controller if a USB device reports being 
> > > a generic HID keyboard and reports a wMaxPacketSize of over 4095. The OHCI
> > > controller driver fails to reserve bandwidth for the device, causing the 
> > > keyboard handler to fail when attaching to the HID. Later, when the device is 
> > > removed, the system crashes due to a null pointer dereference in a linked list 
> > > of endpoint descriptors. The crash can be re-created using a Facedancer and UMAP 
> > > software. Given an appropriately configured Facedancer and UMAP setup, the crash 
> > > can be re-created with: 
> > > sudo board=facedancer21 python3 umap.py -P /dev/serial_device_here -f 03:00:00:E:0046 -l LOG

I forgot to mention that the original NULL-pointer dereference bug
should already be fixed by commit c66f59ee5050 ("USB: OHCI: Don't mark
EDs as ED_OPER if scheduling fails").  However I don't know if this
commit has been back-ported to the kernel being tested.

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux