Bug 1783494 (CVE-2019-19526)

Summary: CVE-2019-19526 kernel: use-after-free bug caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, qzhao, rkeshri, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the pn533_usb_probe USB interface in the Linux kernel. If the driver registration fails it needs to do all the cleanup activity and free all the related resources. A malicious USB device can cause this process to fail, causing a use-after-free vulnerability. System availability is the highest threat with this vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-19 14:09:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1783495    
Bug Blocks: 1783496    

Description msiddiqu 2019-12-13 20:19:58 UTC 
A vulnerability was found in pn533_usb_probe in drivers/nfc/pn533/usb.c  in PN533 transceiver module with USB interface for contact-less communication subsystem,  in this if  the driver registration fails in between, it needs to do all the  cleanup activity  and free all the related resources, failing which it can lead to a use-after-free problem.


Upstream patch:   

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6af3aa57a0984e061f61308fe181a9a12359fecc

References:   

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9
http://seclists.org/oss-sec/2019/q4/115
http://www.openwall.com/lists/oss-security/2019/12/03/4
Comment 1 msiddiqu 2019-12-13 20:20:27 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1783495]
Comment 2 Justin M. Forbes 2019-12-16 16:56:38 UTC 
This is fixed for Fedora with the 5.3.9 stable kernel update.
Comment 3 Product Security DevOps Team 2020-02-19 14:09:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19526
Comment 5 Rohit Keshri 2020-02-19 14:14:08 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 7 Eric Christensen 2020-03-05 16:24:22 UTC 
External References:

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9
http://seclists.org/oss-sec/2019/q4/115
http://www.openwall.com/lists/oss-security/2019/12/03/4
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6af3aa57a0984e061f61308fe181a9a12359fecc