'Re: [oss-security] Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257
From:       Greg KH <greg () kroah ! com>
Date:       2015-09-23 18:54:42
Message-ID: 20150923185442.GA4974 () kroah ! com
[Download RAW message or body]

On Tue, Sep 22, 2015 at 08:17:06PM -0700, Greg KH wrote:
> On Tue, Sep 22, 2015 at 05:49:53PM -0700, Moein Ghasemzadeh wrote:
> > Hello,
> > 
> > We have discovered a vulnerability in a linux kernel module and would
> > like to inform you so that required actions could be taken.
> > 
> > Assigned CVE ID : CVE-2015-5257.
> > 
> > Below is the description of the vulnerability.
> > 
> > 1. Software name and vendor name:
> > USB WhiteHEAT serial driver by ConnecTech in the Linux kernel
> > v3.19.0-28, but likely to exist in all kernel versions.
> > 
> > 2. Type of vulnerability or attack outcome:
> > 
> > The vulnerability triggers a kernel NULL pointer dereference. It causes
> > the OS to freeze on many machines and requires a cold reboot, causing
> > denial of service.
> > 
> > 3. A description of the affected code (e.g. the function name, the
> > vulnerable web page, link to the affected code, a bug entry, etc.):
> > 
> > The flaw exists in the "whiteheat_attach" function in
> > drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the
> > Linux kernel.
> > (http://lxr.free-electrons.com/source/drivers/usb/serial/whiteheat.c?v=3.19)
> > 
> > 
> > In the driver, the "COMMAND_PORT" variable is hard coded and is set to
> > "4" (5th element). So, the driver assumes that the number of ports
> > always will be 5 and takes the port number 5 as the command port. But,
> > using a specially made USB device in which the number of ports was set
> > to a number less than 5 (e.g. 3) we were able to perform Denial of
> > Service on the system due to a kernel NULL pointer dereference. The
> > system froze and requires a reboot.
> > 
> > You may find more information regarding the bug from the logs attached
> > to this email. Please let us know if you have any questions or concerns.
> 
> FWIW, the USB serial subsystem maintainer was just told about this an
> hour or so ago, and is working on a patch for this, which should be
> merged into Linus's tree by the end of the week or so.

And here's a patch if distros care to pick it up earlier than "normal":
	https://lkml.kernel.org/r/<1443033702-29600-1-git-send-email-johan@kernel.org>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic