Bug 1749978 (CVE-2019-15291)

Summary: CVE-2019-15291 kernel: Null pointer dereference in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A null pointer dereference flaw was found in the flexcop_usb_probe function in the Flexcop digital TV device driver. An attacker who can insert a malicious USB device into the system could use this flaw to crash the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:53:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1749991, 1807078, 1807079, 1807080, 1807081, 1807082    
Bug Blocks: 1749993    

Description Pedro Sampaio 2019-09-07 01:26:58 UTC 
An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.

References:

https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f
http://www.openwall.com/lists/oss-security/2019/08/20/2
Comment 1 Pedro Sampaio 2019-09-07 02:34:26 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1749991]
Comment 2 Petr Matousek 2020-02-25 15:02:33 UTC 
Mitigation:

As the b2c2-flexcop-usb module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:

# echo "install b2c2-flexcop-usb /bin/true" >> /etc/modprobe.d/disable-b2c2-flexcop-usb.conf

The system will need to be restarted if the b2c2-flexcop-usb module is already loaded. In most circumstances, the b2c2-flexcop-usb kernel module will be unable to be unloaded while the device is in use. If the system requires this module to work correctly, this mitigation may not be suitable. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
Comment 4 Justin M. Forbes 2020-03-19 14:51:41 UTC 
This was fixed for Fedora with the 5.3.14 stable kernel updates.