RE: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device

["Christey, Steven M." <coley () mitre org>]

While perhaps a questionable action in many environments, attaching a USB device is a common use case.  The person 
attaching the device has a reasonable expectation that code will NOT be executed, and files will NOT be written outside 
the device, etc. without their explicit permission or configuration.  There is also a reasonable expectation that the 
operation of the device will not perform actions against the OS without implicit user permission.

So, scenario 1 would clearly require a CVE.

For other scenarios, it should be considered whether the user/victim uses a "common" operation that is not obviously 
dangerous.  In scenario 3, clicking on a file in a USB device is a common and reasonable operation, and unless that 
file is an executable or otherwise automatically implies code execution, then it is likely CVE-worthy if code 
execution, DoS, or some other operation can be performed that is not within the intended operation of the device.

I'm not sure I understand scenario 2 well enough to give direct advice, but even if the user installing the USB is 
targeted instead of the kernel, then it may qualify for a CVE.

- Steve


> -----Original Message-----
> From: Eugene Teo [mailto:eugeneteo () kernel sg]
> Sent: Thursday, March 14, 2013 9:51 AM
> To: oss-security () lists openwall com
> Subject: Re: [oss-security] CVE Request/Guidance: Linux kernel cdc-wdm
> buffer overflow triggered by device
>
> Hi Marcus,
>
> On Thursday, 14 March 2013, Marcus Meissner wrote:
>
> > Hi,
> >
> > I am wondering ... do we consider attacks with special attack taylored USB
> > devices as CVE worthy?
> >
> > There is only some precedence in the CVE DB, but not much.
> >
> > I stumbled over this fix from one of my colleagues where a specifically
> > made USB device reporting the "cdc-wdm" USB class could cause a kernel
> > heap overflow.
> >
> > "Malicious attached devices" might fall into several categories:
> >
> > 1. Attaching the device causes the issue directly within the kernel /
> > autoloaded
> >    module, without user interaction. (here the case)
> >
> >
> > 2. Attaching the device causes the issue when userspace, dependend on
> >    e.g. desktop system, does initiate a seperate action (like an automount
> >    and then exploitation of something) (so not direct a kernel, but a
> >    kernel + GNOME/KDE interaction).
> >
> >
> > 3. User needs to do something with the attached device (like click on
> >    a file on a USB disk)
> >
> >
> > I would consider (1) and (2) CVE worthy at least, not so sure with (3).
>
>
> I agree with (1) and (2). I have seen (3) with CVE names too. If a local,
> unprivileged user can cause an issue by accessing a file or listing a set
> of files in a directory due to a flaw in the underlying file system, I
> think it should have a CVE name assigned.
>
> Thanks, Eugene
>
>
> > Ciao, Marcus
> >
> > commit c0f5ecee4e741667b2493c742b60b6218d40b3aa
> > Author: Oliver Neukum <oneukum () suse de <javascript:;>>
> > Date:   Tue Mar 12 14:52:42 2013 +0100
> >
> >     USB: cdc-wdm: fix buffer overflow
> >
> >     The buffer for responses must not overflow.
> >     If this would happen, set a flag, drop the data and return
> >     an error after user space has read all remaining data.
> >
> >     Signed-off-by: Oliver Neukum <oliver () neukum org <javascript:;>>
> >     CC: stable () kernel org <javascript:;>
> >     Signed-off-by: Greg Kroah-Hartman
> <gregkh () linuxfoundation org<javascript:;>
> > >