Issue metadata
Sign in to add a comment
|
Security: CVE-2017-17558 - OOB write in kernel USB core |
||||||||||||||||||||||
Issue descriptionPer http://openwall.com/lists/oss-security/2017/12/12/7: The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device. This potentially allows malicious USB devices to gain kernel code execution. Setting high severity. We should probably try and get this into the next stable refresh. Patch is being discussed on linux-usb here: https://www.spinics.net/lists/linux-usb/msg163644.html
,
Dec 13 2017
Upstream discussion about a valid fix is still ongoing. We need to wait for the final fix.
,
Dec 13 2017
Reference to upstream discussion: https://www.spinics.net/lists/linux-usb/msg163644.html
,
Dec 14 2017
,
Dec 14 2017
,
Dec 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8572721c734def505d6fc812d8cf0edc696f9c42 commit 8572721c734def505d6fc812d8cf0edc696f9c42 Author: Alan Stern <stern@rowland.harvard.edu> Date: Fri Dec 15 07:57:37 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827639 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/8572721c734def505d6fc812d8cf0edc696f9c42/drivers/usb/core/config.c
,
Dec 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e2830290afaa305421fc18147d0c9e35697db539 commit e2830290afaa305421fc18147d0c9e35697db539 Author: Alan Stern <stern@rowland.harvard.edu> Date: Fri Dec 15 07:57:40 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827637 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/e2830290afaa305421fc18147d0c9e35697db539/drivers/usb/core/config.c
,
Dec 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/480404f25bf1d7ea8210328d6c429a05406de102 commit 480404f25bf1d7ea8210328d6c429a05406de102 Author: Alan Stern <stern@rowland.harvard.edu> Date: Fri Dec 15 07:57:31 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827638 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/480404f25bf1d7ea8210328d6c429a05406de102/drivers/usb/core/config.c
,
Dec 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c38bcfffaebd082bf29fd7448a73fad4f4109628 commit c38bcfffaebd082bf29fd7448a73fad4f4109628 Author: Alan Stern <stern@rowland.harvard.edu> Date: Fri Dec 15 07:57:33 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827636 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/c38bcfffaebd082bf29fd7448a73fad4f4109628/drivers/usb/core/config.c
,
Dec 15 2017
,
Dec 15 2017
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a504752f703abc416349a7f543dd47df259b6610 commit a504752f703abc416349a7f543dd47df259b6610 Author: Alan Stern <stern@rowland.harvard.edu> Date: Fri Dec 15 18:10:48 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/828060 Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/a504752f703abc416349a7f543dd47df259b6610/drivers/usb/core/config.c
,
Dec 20 2017
,
Dec 20 2017
,
Dec 20 2017
Approving merge to M64 Chrome OS.
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b9e23f074ddda3436949804101c57df5f6a79f82 commit b9e23f074ddda3436949804101c57df5f6a79f82 Author: Alan Stern <stern@rowland.harvard.edu> Date: Wed Dec 20 23:20:21 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827932 [modify] https://crrev.com/b9e23f074ddda3436949804101c57df5f6a79f82/drivers/usb/core/config.c
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/be6533588519718c6412c7d5842260b21727d6c0 commit be6533588519718c6412c7d5842260b21727d6c0 Author: Alan Stern <stern@rowland.harvard.edu> Date: Wed Dec 20 23:20:28 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827936 [modify] https://crrev.com/be6533588519718c6412c7d5842260b21727d6c0/drivers/usb/core/config.c
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/093d83efaa861529c898784875fcde31b24f6a5a commit 093d83efaa861529c898784875fcde31b24f6a5a Author: Alan Stern <stern@rowland.harvard.edu> Date: Wed Dec 20 23:20:35 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827933 [modify] https://crrev.com/093d83efaa861529c898784875fcde31b24f6a5a/drivers/usb/core/config.c
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a58652957c7bbf064a24c3f259fa53fbd77cc087 commit a58652957c7bbf064a24c3f259fa53fbd77cc087 Author: Alan Stern <stern@rowland.harvard.edu> Date: Wed Dec 20 23:20:39 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827934 [modify] https://crrev.com/a58652957c7bbf064a24c3f259fa53fbd77cc087/drivers/usb/core/config.c
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cb78d8b70ec89f38e24d0252750d98e0bc987cc8 commit cb78d8b70ec89f38e24d0252750d98e0bc987cc8 Author: Alan Stern <stern@rowland.harvard.edu> Date: Wed Dec 20 23:20:46 2017 FROMGIT: USB: core: prevent malicious bNumInterfaces overflow A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. BUG= chromium:794504 TEST=Build and run Change-Id: I69947788ea8c66a150a477abd4924711c56bfcd9 Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/) Reviewed-on: https://chromium-review.googlesource.com/827935 [modify] https://crrev.com/cb78d8b70ec89f38e24d0252750d98e0bc987cc8/drivers/usb/core/config.c
,
Dec 20 2017
,
Dec 21 2017
,
Jan 2 2018
Vulnerability in USB has no impact on Lakitu.
,
Jan 9 2018
Issue 800276 has been merged into this issue.
,
Mar 27 2018
,
Mar 29 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Dec 13 2017