Re: USB vulnerability

Thu, 28 Jul 2016 14:03:03 -0700 

On Thu, Jul 28, 2016 at 04:01:53PM -0400, Alan Stern wrote:
> On Thu, 28 Jul 2016, Alan Stern wrote:
> 
> > On Thu, 28 Jul 2016, Greg KH wrote:
> > 
> > > On Thu, Jul 28, 2016 at 12:23:01PM -0400, roswest wrote:
> > > > 
> > > > Alan,
> > > > 
> > > > Hi, I am an engineer at Cisco Systems, and this summer we tasked some
> > > > interns with performing USB fuzzing. One of the interns, Jake Lamberson,
> > > > was able to cause a kernel panic when emulating an HID keyboard because
> > > > the OHCI driver fails to reserve bandwidth for the device.  Please see
> > > > the attachment for details.
> > > > 
> > > > Thank you,
> > > > Rosie Hall
> > > 
> > > > 
> > > > Headline:         Linux Kernel Panic Over USB with HID Keyboard 
> > > > wMaxPacketSize
> > > > Platforms:        Ubuntu
> > > > Versions:         Linux Kernel 4.4.0-22-generic
> > > > CVSS Score:       4.7
> > > > CVSS Vector:      AV:L/AC:M/Au:N/C:N/I:N/A:C
> > > > Filed Defects:    
> > > > Related Defects:  
> > > > CWE Tags:         
> > > > Cycle:            
> > > > Found by:         Jake Lamberson
> > > > 
> > > > 
> > > > Linux Kernel panics when using an OHCI controller if a USB device 
> > > > reports being 
> > > > a generic HID keyboard and reports a wMaxPacketSize of over 4095. The 
> > > > OHCI
> > > > controller driver fails to reserve bandwidth for the device, causing 
> > > > the 
> > > > keyboard handler to fail when attaching to the HID. Later, when the 
> > > > device is 
> > > > removed, the system crashes due to a null pointer dereference in a 
> > > > linked list 
> > > > of endpoint descriptors. The crash can be re-created using a Facedancer 
> > > > and UMAP 
> > > > software. Given an appropriately configured Facedancer and UMAP setup, 
> > > > the crash 
> > > > can be re-created with: 
> > > > sudo board=facedancer21 python3 umap.py -P /dev/serial_device_here -f 
> > > > 03:00:00:E:0046 -l LOG
> 
> I forgot to mention that the original NULL-pointer dereference bug
> should already be fixed by commit c66f59ee5050 ("USB: OHCI: Don't mark
> EDs as ED_OPER if scheduling fails").  However I don't know if this
> commit has been back-ported to the kernel being tested.

I doubt it, it hasn't even hit the "normal" stable kernels yet, I'll go
do that now...

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to