98 - Linux Kernel Buffer Overflow in Whiteheat USB Serial Driver - project-zero

Starred by 2 users

Status:	Fixed
Owner:	forshaw@google.com
Closed:	Aug 2014
Cc:	project-...@google.com
Finder-forshaw Product-Kernel Deadline-90 Vendor-Linux CVE-2014-3185 Reported-2014-Aug-22 CCProjectZeroMembers Severity-High

Linux Kernel Buffer Overflow in Whiteheat USB Serial Driver

Project Member Reported by forshaw@google.com, Aug 22 2014

Back to list

A bug exists in drivers/usb/serial/whiteheat.c that can result in a kernel memory corruption. The WHITEHEAT_GET_DTR_RTS command response is not verified correctly in the function command_port_read_callback. It assumes that the bulk response cannot be larger than 64 bytes, however on EHCI and XHCI this isn't necessarily the case. 

We consider this a security bug in the context of an attacker who gains short-term physical access to a running device with the goal of turning this into long-term remote access. 

I've attached a non-tested patch that attempts to address the issue by not handling responses greater than the buffer size.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

whiteheat.c.patch
734 bytes Download

Project Member Comment 1 by forshaw@google.com, Aug 29 2014

Labels: -Restrict-View-Commit
Status: Fixed

The patch has been fixed up and committed http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/usb/serial/whiteheat.c?id=6817ae225cd650fb1c3295d769298c38b1eba818

Thanks for the fast response from security@kernel.org and Greg Kroah-Hartman.

Project Member Comment 2 by hawkes@google.com, Sep 11 2014

Labels: CVE-2014-3185

► Sign in to add a comment