Bug 1746732 (CVE-2019-15505)

Summary: CVE-2019-15505 kernel: out of bounds read in drivers/media/usb/dvb-usb/technisat-usb2.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, desnesn, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, rkeshri, rt-maint, rvrbovsk, steved, torez, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in the DVB USB subsystem of the Linux kernel. There was no boundary check applied to the array in struct technisat_usb2_state state->buf until the 0xff byte is encountered. If the byte is not encountered within the limit, an exposure of kernel data structure occurs. Data confidentiality and system availability are the highest threats with this vulnerability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:49:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1746734, 1805720, 1805721, 1805722, 1805723, 1805724    
Bug Blocks: 1746735    

Description Dhananjay Arunesh 2019-08-29 07:38:14 UTC
A vulnerability was found in technisat_usb2_get_ir in drivers/media/usb/dvb-usb/technisat-usb2.c  in DVB USB subsystem,  there was an out-of-bounds read for an array in struct technisat_usb2_state state->buf  with no boundary check applied  until  0xff byte is encountered, if it is not found with in the limits it goes beyond the array size, this exposes kernel data structure which should not happen.  


Reference:
https://lore.kernel.org/linux-media/20190821104408.w7krumcglxo6fz5q@gofer.mess.org/
https://git.linuxtv.org/media_tree.git/commit/?id=0c4df39e504bf925ab666132ac3c98d6cbbe380b
https://lore.kernel.org/lkml/b9b256cb-95f2-5fa1-9956-5a602a017c11@gmail.com/

Comment 1 Dhananjay Arunesh 2019-08-29 07:39:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1746734]

Comment 7 Eric Christensen 2020-02-27 16:40:06 UTC
Mitigation:

Mitigation for this issue is to skip loading the affected module technisat_usb2 onto the system till we have a fix available, this can be done by a blacklist mechanism, this will ensure the driver is not loaded at the boot time.
~~~
How do I blacklist a kernel module to prevent it from loading automatically? 
https://access.redhat.com/solutions/41278  
~~~