Bug 1783561 (CVE-2019-19537)

Summary: CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pmatouse, qzhao, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who can hotplug at least two devices of this class can cause a use-after-free situation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 21:59:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1686205, 1783563, 1785064, 1785065, 1785066, 1785067, 1785068, 1785273    
Bug Blocks: 1783565    

Description msiddiqu 2019-12-13 21:52:50 UTC 
A flaw was found in the Linux kernel where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who is able to hot plug at least two devices of this class can cause a a use-after-free situation.

This affects the generic character device layer devices and not a specific device  driver.

References: 

http://www.openwall.com/lists/oss-security/2019/12/03/4
http://seclists.org/oss-sec/2019/q4/115
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.10

Upstream Patch:
  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=303911cfc5b95d33687d9046133ff184cf5043ff
Comment 1 msiddiqu 2019-12-13 21:53:22 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1783563]
Comment 2 Justin M. Forbes 2019-12-16 17:21:23 UTC 
This was fixed for Fedora with the 5.2.10 stable kernel updates.
Comment 3 Wade Mealing 2019-12-18 08:05:51 UTC 
While I do understand the race condition that leads to this, it would be somewhat difficult to exploit this flaw with physical access.   Timing physical control of the removal of devices to this level would be harder than you think (I tried ~100 times and maybe I'm just bad at it). 

The other, and more likely method would be using USB over ip ( https://www.kernel.org/doc/readme/tools-usb-usbip-README ), which I had also attempted ~65,000 times, it didnt trigger on my system even after trying multiple different ways of forcing the race condition.    Using this method required root access to attach/detach, with these permissions this attack vector is somewhat contrived.

I'm proposing this be fixed in relevant y streams, I dont think its usable enough as an attack vector for z stream immediate fix.
Comment 6 Wade Mealing 2019-12-19 02:29:37 UTC 
Mitigation:

Many Character devices can trigger this flaw as they leverage the lower levels of the USB subsystem.

The safest method that I have found would be to disable USB ports that are able to be attacked
using this method, disable them first by disallowing them from waking up from low-power states 
with the command (Replace X with the port number available).

echo disabled >> /sys/bus/usb/devices/usbX/power/wakeup 

The system must also disable the specific ports power after with the command:

echo suspend | sudo tee /sys/bus/usb/devices/usbX/power/level

This change not persist through system reboots and must be applied at each reboot to be effective.
Comment 11 errata-xmlrpc 2020-09-29 18:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
Comment 12 errata-xmlrpc 2020-09-29 20:52:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
Comment 13 Product Security DevOps Team 2020-09-29 21:59:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19537
Comment 29 errata-xmlrpc 2020-11-04 00:50:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
Comment 30 errata-xmlrpc 2020-11-04 02:22:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609