Home page logo
/

bugtraq logo Bugtraq mailing list archives

NGS00042 Technical Advisory: Solaris 11 USB hub class descriptor kernel stack overflow (CVE-2011-2295)
From: "Research () NGSSecure" <research () ngssecure com>
Date: Wed, 2 Nov 2011 13:36:40 +0000

=======
Summary
=======
Name: Solaris 11 USB hub class descriptor kernel stack overflow
Release Date:  2 November 2011
Reference: NGS00042
Discoverer: Andy Davis <andy.davis () ngssecure com>
Vendor: Oracle
Vendor Reference: 
Systems Affected: Solaris 8, 9, 10, and 11 Express
Risk: High
Status: Published

========
TimeLine
========
Discovered: 27 January 2011
Released: 27 January 2011
Approved: 27 January 2011
Reported: 27 January 2011
Fixed: 19 July 2011
Published:  2 November 2011

===========
Description
===========
A local attacker can send a malformed USB hub class descriptor via a malicious USB device and trigger a kernel stack 
overflow

=================
Technical Details
=================
If the wMaxPacketSize field within a USB hub class Endpoint descriptor is set to a value >= 0x1125, it causes a kernel 
stack overflow

Jan 27 13:36:59 solaris ^Mpanic[cpu1]/thread=d742ada0: 
Jan 27 13:36:59 solaris genunix: [ID 549817 kern.notice] segkp_fault: accessing redzone
Jan 27 13:36:59 solaris unix: [ID 100000 kern.notice] Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a540
genunix:segkp_fault+238 (d1061f68, fec24c20,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a590 
unix:segkmem_fault+8e (d1061f68, 
fec24c60,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a630
genunix:as_fault+4c1 (d1061f68, fec23da0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a690 
unix:pagefault+1ac (d23bd000, 0, 1, 1) Jan 
27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a740 unix:trap+136f (d742a754, d23bd000,) Jan 27 13:36:59 
solaris genunix: [ID 353471 
kern.notice] d742a754 unix:_cmntrap+7c (fea501b0, d1010000,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] 
d742a7c8
ehci:ehci_calculate_bw_availability_mask+48 (d2089000, 2892, 0, ) Jan 27 13:36:59 solaris genunix: [ID 353471 
kern.notice] d742a838
ehci:ehci_find_bestfit_hs_mask+c8 (d2089000, d742a8fa,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] 
d742a888
ehci:ehci_allocate_high_speed_bandwidth+126 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 
kern.notice] d742a8b8
ehci:ehci_allocate_bandwidth+21 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a918 
ehci:ehci_hcdi_pipe_open+dd 
(d6c84be0, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a968
usba:usb_pipe_open+260 (d1d01cf0, d851ec70,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a998
usba:hubd_open_intr_pipe+37 (d851ec40, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a9c8
usba:hubd_check_ports+f0 (d851ec40, d1d01cf0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa38 
usba:usba_hubdi_attach+43a (d1d01cf0, 
0, 0, 0) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa68
genunix:devi_attach+a5 (d1d01cf0)
Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa88 genunix:attach_node+9a (d1d01cf0, 1, d2076c) Jan 27 
13:36:59 solaris genunix: [ID 
353471 kern.notice] d742aab8
genunix:i_ndi_config_node+c1 (d1d01cf0, 6, 0, d1d) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aad8 
genunix:i_ddi_attachchild+3d 
(d1d01cf0, 0, d742aa) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aaf8 genunix:devi_attach_node+bb 
(d1d01cf0, 1020008, ) Jan 27 
13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab38
genunix:config_immediate_children+e6 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] 
d742ab78
genunix:ndi_busop_bus_config+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac18 
usba:hubd_bus_config+dc 
(d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac48
genunix:devi_config_common+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac68
genunix:ndi_devi_config+13 (d17f3340, 1020008) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aca8 
genunix:ndi_devi_online+fc (d17f3340, 
0, 0, f8a) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad18 usba:hubd_hotplug_thread+52b (e0553c50, 
d1db8b9c,) Jan 27 13:36:59 solaris 
genunix: [ID 353471 kern.notice] d742ad88
genunix:taskq_d_thread+a3 (d3b94410, 0)
Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad98
unix:thread_start+8 ()

===============
Fix Information
===============
This issue is addressed in the Oracle Critical Patch Update Advisory - July 2011, which is available at the following 
URL:
http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

NGS Secure Research
http://www.ngssecure.com


  By Date           By Thread  

Current thread:
  • NGS00042 Technical Advisory: Solaris 11 USB hub class descriptor kernel stack overflow (CVE-2011-2295) Research () NGSSecure (Nov 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]