1660385 – (CVE-2018-20169) CVE-2018-20169 kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS

Bug 1660385 (CVE-2018-20169) - CVE-2018-20169 kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS

Summary: CVE-2018-20169 kernel: usb: missing size check in the __usb_get_extra_descrip...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-20169
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1660386 Engineering1689304 Engineering1689305 Engineering1689306 Engineering1689307 Engineering1689308 Engineering1689309 Engineering1828283 Engineering1828284 Engineering1836415 Engineering1836416 Engineering1836417 Engineering1836418
Blocks:	Embargoed1660387
TreeView+	depends on / blocked

Reported:	2018-12-18 09:12 UTC by Andrej Nemec
Modified:	2023-05-12 21:14 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).
Clone Of:
Environment:
Last Closed:	2019-11-06 00:51:32 UTC

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3309	None	None	None	2019-11-05 20:35:01 UTC
Red Hat Product Errata	RHSA-2019:3517	None	None	None	2019-11-05 21:05:37 UTC
Red Hat Product Errata	RHSA-2020:1016	None	None	None	2020-03-31 19:11:24 UTC
Red Hat Product Errata	RHSA-2020:1070	None	None	None	2020-03-31 19:20:18 UTC
Red Hat Product Errata	RHSA-2020:2522	None	None	None	2020-06-11 02:10:00 UTC
Red Hat Product Errata	RHSA-2020:2770	None	None	None	2020-06-30 12:10:23 UTC
Red Hat Product Errata	RHSA-2020:2777	None	None	None	2020-07-01 10:07:41 UTC
Red Hat Product Errata	RHSA-2020:2851	None	None	None	2020-07-07 09:51:39 UTC

Description Andrej Nemec 2018-12-18 09:12:19 UTC

A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a  privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=704620afc70cf47abb9d6a1a57f3825d2bca49cf

Comment 1 Andrej Nemec 2018-12-18 09:12:42 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1660386]

Comment 2 Justin M. Forbes 2018-12-18 15:41:51 UTC

This was fixed for Fedora with the 4.19.9 stable kernel updates

Comment 6 errata-xmlrpc 2019-11-05 20:34:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309

Comment 7 errata-xmlrpc 2019-11-05 21:05:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517

Comment 8 Product Security DevOps Team 2019-11-06 00:51:32 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20169

Comment 9 errata-xmlrpc 2020-03-31 19:11:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1016 https://access.redhat.com/errata/RHSA-2020:1016

Comment 10 errata-xmlrpc 2020-03-31 19:20:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1070 https://access.redhat.com/errata/RHSA-2020:1070

Comment 15 errata-xmlrpc 2020-06-11 02:09:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2522 https://access.redhat.com/errata/RHSA-2020:2522

Comment 17 errata-xmlrpc 2020-06-30 12:10:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:2770 https://access.redhat.com/errata/RHSA-2020:2770

Comment 18 errata-xmlrpc 2020-07-01 10:07:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:2777 https://access.redhat.com/errata/RHSA-2020:2777

Comment 19 errata-xmlrpc 2020-07-07 09:51:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2851 https://access.redhat.com/errata/RHSA-2020:2851

Note You need to log in before you can comment on or make changes to this bug.