CVE-2019-12379 and CVE-2015-7566 #200
Conversation
There was a problem hiding this comment.
CVE-2015-7566: 3 upvotes
CVE-2019-12369: 1 upvote
I think you covered a lot of the aspects of CVE-2015-7566. The read (as well as the Bugzilla report) was intriguing and wanted to make me learn more
| When using a USB device that lacks a bulk-out endpoint (what sends data from the host to the device), | ||
| a NULL pointer error occurs. This causes the system to crash which can lead to more errors and corruption. |
There was a problem hiding this comment.
I think more background would be nice in this. Where was it introduced? What kind of data is the host sending to the device that is causing this crash?
There was a problem hiding this comment.
Found the how of the vulnerability under:
https://bugzilla.redhat.com/show_bug.cgi?id=1283371
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
######### PAYLOAD 1 #########
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x54c
idProduct: 0x144
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
The clie_5_attach function of the visor driver, which is called during the driver initialization process, expects an OUT-Bulk-Endpoint.
Due to an incomplete sanity check, the visor driver tries to dereference null-pointers.
This results in a crash of the system.
cves/kernel/CVE-2015-7566.yml
Outdated
| answer: Ralf Spenneberg of OpenSource Security reported the issue. Does not specify how it was found. | ||
| automated: False | ||
| contest: False | ||
| developer: False |
There was a problem hiding this comment.
Could it be possibly inferred that a developer would have found it? I took a look at his LinkedIn profile and he seems to be a cybersecurity analyst
cves/kernel/CVE-2015-7566.yml
Outdated
| why you come to that conclusion. | ||
| note: | ||
| answer: | ||
| note: You can brute force (or check physically) for this check if it was accounted for. |
There was a problem hiding this comment.
The discussion of the bugzilla report says that a fuzzer was used to discover this vulnerability, so it is definitely accounted for
cves/kernel/CVE-2015-7566.yml
Outdated
| note: | ||
| answer: True | ||
| note: | | ||
| An unprivileged user with physical access could trigger a kernel NULL-pointer dereference. |
There was a problem hiding this comment.
Not sure if this is related to sandboxing as far as I'm aware
cves/kernel/CVE-2015-7566.yml
Outdated
| answer: | ||
| note: | ||
| answer: True | ||
| note: Code was reviewed before it was committed. |
There was a problem hiding this comment.
Are you able to provide a bit more detail into who contributed towards this fix?
cves/kernel/CVE-2015-7566.yml
Outdated
| free to give it a small name and add one in the same format as these. | ||
| defense_in_depth: | ||
| applies: | ||
| applies: False |
There was a problem hiding this comment.
I think this definitely applies since judging by the commit history, it seems like whoever wrote this code seemed to have forgot to add some logic
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cb3232138e37129e88240a98a1d2aba2187ff57c
cves/kernel/CVE-2019-12379.yml
Outdated
| security | ||
| description: | ||
| description: | | ||
| A possible memory leak in the Linux drivers. This issue can lead to a situation where the |
There was a problem hiding this comment.
The transition in wording from this line to the description of the vulnerability could be better
cves/kernel/CVE-2019-12379.yml
Outdated
| note: | ||
| answer: False | ||
| note: | | ||
| This is unrealted to permissions. |
cves/kernel/CVE-2019-12379.yml
Outdated
| answer: | ||
| note: | ||
| answer: True | ||
| note: Code was reviewed before it was comitted. |
|
After the changes that jym2584 made, I think that your YAMLs have sufficient data. |
4 participants
Completed:
CVE-2019-12379
CVE-2015-7566