First published: Sun Feb 28 2016(Updated: )
A local kernel crash on invalid USB device requiring the visor driver was reported. The treo_attach() function of the [visor] driver, which is called during the driver initialization process, was dereferencing the bulk-in and interrupt-in urbs without first making sure they had been allocated by core. Due to an incomplete sanity check, the visor driver tries to dereference null-pointers, which results in crash. Vulnerable code: **** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/visor.c) ... 554 #define COPY_PORT(dest, src) \ 555 do { \ 556 int i; \ 557 \ 558 for (i = 0; i < ARRAY_SIZE(src->read_urbs); ++i) { \ 559 dest->read_urbs[i] = src->read_urbs[i]; \ /* Possible Nullpointer-Dereference */ 560 dest->read_urbs[i]->context = dest; \ 561 dest->bulk_in_buffers[i] = src->bulk_in_buffers[i]; \ 562 } \ 563 dest->read_urb = src->read_urb; \ 564 dest->bulk_in_endpointAddress = src->bulk_in_endpointAddress;\ 565 dest->bulk_in_buffer = src->bulk_in_buffer; \ 566 dest->bulk_in_size = src->bulk_in_size; \ 567 dest->interrupt_in_urb = src->interrupt_in_urb; \ 568 dest->interrupt_in_urb->context = dest; \ 569 dest->interrupt_in_endpointAddress = \ 570 src->interrupt_in_endpointAddress;\ 571 dest->interrupt_in_buffer = src->interrupt_in_buffer; \ 572 } while (0); 573 574 swap_port = kmalloc(sizeof(*swap_port), GFP_KERNEL); 575 if (!swap_port) 576 return -ENOMEM; 577 COPY_PORT(swap_port, serial->port[0]); /* no sanity-check! */ 578 COPY_PORT(serial->port[0], serial->port[1]); /* no sanity-check! */ 579 COPY_PORT(serial->port[1], swap_port); /* no sanity-check! */ ... **** Reproducer can be found in original bug report: <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED WONTFIX - CVE-2016-2782 Local RedHat Enterprise Linux DoS – RHEL 7.1 Kernel crashes on invalid USB device descriptors (visor driver) [local-DoS]" href="show_bug.cgi?id=1283374">https://bugzilla.redhat.com/show_bug.cgi?id=1283374</a> An upstream patch: <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cb3232138e37129e88240a98a1d2aba2187ff57c">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cb3232138e37129e88240a98a1d2aba2187ff57c</a> Public via: <a href="http://seclists.org/bugtraq/2016/Mar/86">http://seclists.org/bugtraq/2016/Mar/86</a> CVE-ID request and assignment: <a href="http://seclists.org/oss-sec/2016/q1/456">http://seclists.org/oss-sec/2016/q1/456</a> <a href="http://seclists.org/oss-sec/2016/q1/458">http://seclists.org/oss-sec/2016/q1/458</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <4.5.0 | |
Linux Linux kernel | =4.5.0-rc1 | |
SUSE Linux Enterprise Debuginfo | =11-sp2 | |
SUSE Linux Enterprise Debuginfo | =11-sp4 | |
Suse Linux Enterprise Module For Public Cloud | =12 | |
SUSE Linux Enterprise Desktop | =12 | |
SUSE Linux Enterprise Desktop | =12-sp1 | |
Suse Linux Enterprise Real Time Extension | =11-sp4 | |
Suse Linux Enterprise Real Time Extension | =12-sp1 | |
SUSE Linux Enterprise Server | =11-sp2 | |
SUSE Linux Enterprise Server | =11-sp4 | |
SUSE Linux Enterprise Server | =12 | |
SUSE Linux Enterprise Server | =12-sp1 | |
SUSE Linux Enterprise Software Development Kit | =11-sp4 | |
SUSE Linux Enterprise Software Development Kit | =12 | |
SUSE Linux Enterprise Software Development Kit | =12-sp1 | |
Suse Linux Enterprise Workstation Extension | =12 | |
Suse Linux Enterprise Workstation Extension | =12-sp1 | |
debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.11.10-1 6.12.5-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-2782 is a vulnerability in the Linux kernel before version 4.5 that allows physically proximate attackers to cause a denial of service or possibly have unspecified other impact by inserting a USB device without a bulk-in or interrupt endpoint.
CVE-2016-2782 has a severity level of low.
To fix CVE-2016-2782, update your Linux kernel to version 4.5 or later.
Yes, there is an exploit available for CVE-2016-2782. You can find it at the following link: https://www.exploit-db.com/exploits/39539/
You can find more information about CVE-2016-2782 at the following links: http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00019.html, http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html