A use-after-free flaw in the driver for the Microchip CAN BUS Analyzer Tool. CANBUS devices are not commonly found on server grade hardware. The flaw exists while a device is removed (physical access) or a kernel module is unloaded (administrative privs) Upstream Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4d6636498c41891d0482a914dd570343a838ad79 References: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.11 https://www.openwall.com/lists/oss-security/2019/12/03/4 http://seclists.org/oss-sec/2019/q4/115 http://www.openwall.com/lists/oss-security/2019/12/03/4
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1783516]
This is fixed for Fedora in the 5.3.11 stable kernel update.
Mitigation: As the mcba_usb odule will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions: # echo "install mcba_usb /bin/true" >> /etc/modprobe.d/disable-mcba_usb.conf The system will need to be restarted in the unlikely case that the modules are loaded. In most circumstances, the kernel modules will be unable to be unloaded with rmmod while any device has the software in use. If the system requires this module to work correctly, this mitigation may not be suitable, alternative USB can analysers will not suffer this same flaw. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
Most systems wont have this module loaded by default as this is mostly used by automotive/marine diagnostic systems.