Bug 1743556 (CVE-2019-15212)

Summary: CVE-2019-15212 kernel: double-free caused by malicious USB device in drivers/usb/misc/rio500.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the RIO500 driver in the Linux kernel. The implementation of the driver did not consider that multiple RIO500 devices could be attached to the same system, simultaneously. When a second device connects, the system overwrites the data structures in use by the first allowing a local attacker to possibly create a use-after-free situation which can lead to memory corruption, system panic, or privilege escalation. The highest threat from this vulnerability is to system availability, although data integrity is also at risk as well.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-13 10:31:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1743557    
Bug Blocks: 1743559    

Description Dhananjay Arunesh 2019-08-20 08:27:02 UTC
A vulnerability was found in the Linux kernels driver for the RIO 500.  The driver itself was not designed to allow for multiple RIO500 devices to be pluggged into the system.

The Rio 500 was an early generation portal MP3 digital audio player produced by Diamond Multimedia which used a USB connection to connect to the computer.  According to upstream this driver is rarely used due to both the rarity of the hardware and that the userspace software migrated to libusb as a transport mechanism.


Comment 1 Dhananjay Arunesh 2019-08-20 08:27:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1743557]

Comment 2 Justin M. Forbes 2019-08-20 12:45:24 UTC
This was fixed for Fedora with the 5.1.18 stable kernel updates.

Comment 4 Product Security DevOps Team 2020-03-13 04:31:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 9 Product Security DevOps Team 2020-03-13 10:31:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 10 Eric Christensen 2020-03-17 16:29:59 UTC

As the rio500 module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:

# echo "blacklist rio500" >> /etc/modprobe.d/rio-500.conf 
# echo "install rio500 /bin/false" >> /etc/modprobe.d/rio-500.conf  
The system will need to be restarted if the RIO500 modules are loaded. In most circumstances, the kernel modules will be unable to be unloaded while any devices or programs are using the USB device.

If the system requires this module to work correctly, this mitigation may not be suitable.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.