Bug 1311589 (CVE-2015-8816)

Summary: CVE-2015-8816 kernel: USB hub invalid memory access in hub_activate()
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, slawomir, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-01 15:18:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1311591    

Description Andrej Nemec 2016-02-24 14:21:55 UTC 
Quickly plugging in and unplugging a USB hub can lead to a null
pointer dereference in kernel (local denial of service) or the USB
port to which the hub is connected becomes unusable, for kernel
versions 2.6.32 < 4.4. The issue occurs when the USB hub gets
disconnected before or while the routine for USB hub activation is
running - hub_activate() function.

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e50293ef9775c5

External references:

http://www.spinics.net/lists/linux-usb/msg132311.html

CVE-ID request and assignment:

http://seclists.org/oss-sec/2016/q1/404

http://seclists.org/oss-sec/2016/q1/413
Comment 1 Josh Boyer 2016-02-24 15:00:06 UTC 
This was fixed in 4.3.5 with:

commit 28fb0f5b4fa9b9e201b2c6d781382601b60feee3
Author: Alan Stern <stern.edu>
Date:   Wed Dec 16 13:32:38 2015 -0500

    USB: fix invalid memory access in hub_activate()
    
    commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream.

Fedora 22 is the only branch still on the 4.3.y kernel series and it is already at 4.3.5 or newer.  The remainder of the Fedora branches already contain this fix.
Comment 3 Vladis Dronov 2016-04-01 15:18:30 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7, and Red Hat Enterprise MRG 2. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.