Bug 1283371
Summary: | CVE-2015-7566 Local RedHat Enterprise Linux DoS – RHEL 7.1 Kernel crashes on invalid USB device descriptors (visor driver) [local-DoS] | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ralf Spenneberg <ralf> | ||||||||
Component: | kernel | Assignee: | Petr Matousek <pmatouse> | ||||||||
kernel sub component: | USB | QA Contact: | Mike Gahagan <mgahagan> | ||||||||
Status: | CLOSED WONTFIX | Docs Contact: | |||||||||
Severity: | high | ||||||||||
Priority: | unspecified | CC: | sergej, vdronov, xzhou | ||||||||
Version: | 7.1 | Keywords: | Security, SecurityTracking | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Release Note | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2016-03-11 13:51:13 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 1296180, 1296466 | ||||||||||
Attachments: |
|
Description
Ralf Spenneberg
2015-11-18 20:14:59 UTC
Created attachment 1096273 [details]
vUSBf Payload
Created attachment 1096276 [details]
Stacktrace
Created attachment 1096277 [details]
vUSBf Payload
Proposed upstream patch: http://marc.info/?l=linux-usb&m=145260786729359&w=2 http://article.gmane.org/gmane.linux.usb.general/136010 Setting QA ack+, will probably have to rely on code review for this one, but will see if I can come up with a test case for it. this was fixed in the upstream commit cb3232138e37129e88240a98a1d2aba2187ff57c by adding endpoints number check required: [ http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cb3232138e37129e88240a98a1d2aba2187ff57c ] + if (serial->num_bulk_out < 2) { + dev_err(&serial->interface->dev, "missing bulk out endpoints\n"); + return -ENODEV; + } Thank you for reporting this flaw. The Product Security has rated this flaw as having low security impact (bz#1296466), so the patch currently is not planned to be added to the RHEL source trees. The upstream and Fedora patches are completed (at least, I hope so), so the patch may get to the RHEL trees at the next USB subsystem code rebase. |