Bug 1783515 (CVE-2019-19529)

Summary: CVE-2019-19529 kernel: use-after-free bug caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the driver for the USB Microchip CAN BUS Analyzer Tool. The CAN BUS analysis hardware is not commonly found on server-grade hardware where the flaw exists while a device is removed (physical access) or a kernel module is unloaded (administrative privileges). An attacker must race the code while the device is being unplugged to take advantage of this flaw.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:14:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1783516, 1797430, 1797431, 1797432    
Bug Blocks: 1783517    

Description msiddiqu 2019-12-13 20:57:28 UTC 
A use-after-free flaw in the driver for the  Microchip CAN BUS Analyzer Tool. CANBUS devices are not commonly found on server grade hardware.  The flaw exists while a device is removed (physical access) or a kernel module is unloaded (administrative privs)

Upstream Patch: 

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4d6636498c41891d0482a914dd570343a838ad79

References:  

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.11
https://www.openwall.com/lists/oss-security/2019/12/03/4
http://seclists.org/oss-sec/2019/q4/115
http://www.openwall.com/lists/oss-security/2019/12/03/4
Comment 1 msiddiqu 2019-12-13 20:57:49 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1783516]
Comment 2 Justin M. Forbes 2019-12-16 17:05:26 UTC 
This is fixed for Fedora in the 5.3.11 stable kernel update.
Comment 5 Wade Mealing 2020-02-03 03:57:03 UTC 
Mitigation:


As the  mcba_usb odule will be auto-loaded when required, its use can be disabled  by preventing the module from loading with the following instructions: 

# echo "install mcba_usb /bin/true" >> /etc/modprobe.d/disable-mcba_usb.conf  
 
The system will need to be restarted in the unlikely case that the modules are loaded. In most circumstances, the  kernel modules will be unable to be unloaded with rmmod while any device has the software in use. 

If the system requires this module to work correctly, this mitigation may not be suitable, alternative USB can analysers will not suffer this same flaw.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
Comment 6 Wade Mealing 2020-02-03 05:55:49 UTC 
Most systems wont have this module loaded by default as this is mostly used by automotive/marine diagnostic systems.