Bug 1743556 (CVE-2019-15212) - CVE-2019-15212 kernel: double-free caused by malicious USB device in drivers/usb/misc/rio500.c
Summary: CVE-2019-15212 kernel: double-free caused by malicious USB device in drivers/...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-15212
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1743557
Blocks: 1743559
TreeView+ depends on / blocked
 
Reported: 2019-08-20 08:27 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:29 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the RIO500 driver in the Linux kernel. The implementation of the driver did not consider that multiple RIO500 devices could be attached to the same system, simultaneously. When a second device connects, the system overwrites the data structures in use by the first allowing a local attacker to possibly create a use-after-free situation which can lead to memory corruption, system panic, or privilege escalation. The highest threat from this vulnerability is to system availability, although data integrity is also at risk as well.
Clone Of:
Environment:
Last Closed: 2020-03-13 10:31:47 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-08-20 08:27:02 UTC
A vulnerability was found in the Linux kernels driver for the RIO 500.  The driver itself was not designed to allow for multiple RIO500 devices to be pluggged into the system.

The Rio 500 was an early generation portal MP3 digital audio player produced by Diamond Multimedia which used a USB connection to connect to the computer.  According to upstream this driver is rarely used due to both the rarity of the hardware and that the userspace software migrated to libusb as a transport mechanism.


Reference:
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.8
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3864d33943b4a76c6e64616280e98d2410b1190f
https://syzkaller.appspot.com/bug?id=64aa96c96f594a77eb8d945df21ec76dd35573b3

Comment 1 Dhananjay Arunesh 2019-08-20 08:27:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1743557]

Comment 2 Justin M. Forbes 2019-08-20 12:45:24 UTC
This was fixed for Fedora with the 5.1.18 stable kernel updates.

Comment 4 Product Security DevOps Team 2020-03-13 04:31:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15212

Comment 9 Product Security DevOps Team 2020-03-13 10:31:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15212

Comment 10 Eric Christensen 2020-03-17 16:29:59 UTC
Mitigation:

As the rio500 module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:

# echo "blacklist rio500" >> /etc/modprobe.d/rio-500.conf 
# echo "install rio500 /bin/false" >> /etc/modprobe.d/rio-500.conf  
 
The system will need to be restarted if the RIO500 modules are loaded. In most circumstances, the kernel modules will be unable to be unloaded while any devices or programs are using the USB device.

If the system requires this module to work correctly, this mitigation may not be suitable.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.


Note You need to log in before you can comment on or make changes to this bug.