Bug 1660385 (CVE-2018-20169)

Summary: CVE-2018-20169 kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, bhu, dbaker, esammons, iboverma, jforbes, jokerman, jross, lgoncalv, matt, mcressma, rt-maint, slawomir, sthangav, trankin, vdronov, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1689304, 1689305, 1689308, 1689309, 1660386, 1689306, 1689307    
Bug Blocks: 1660387    

Description Andrej Nemec 2018-12-18 09:12:19 UTC
A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a  privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=704620afc70cf47abb9d6a1a57f3825d2bca49cf

Comment 1 Andrej Nemec 2018-12-18 09:12:42 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1660386]

Comment 2 Justin M. Forbes 2018-12-18 15:41:51 UTC
This was fixed for Fedora with the 4.19.9 stable kernel updates