A vulnerability was found in USB monitor driver in Kernel where there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Upstream commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/usb/mon/mon_text.c?id=a5f596830e27e15f7a0ecd6be55e433d776986d8 References: https://source.android.com/security/bulletin/pixel/2019-09-01
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1819158]
This was fixed for Fedora with the 4.15.11 stable kernel updates.
It is by physical access attack only (with USB) and Moderate, so ooss for rhel6
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Statement: This issue is rated as having Low impact because of the need of physical access and debugfs mounted.