oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request -- [media] usbvision: usbvision_probe() can trigger a kernel NULL pointer dereference

From: Vladis Dronov <vdronov () redhat com>
Date: Fri, 13 Nov 2015 06:18:50 -0500 (EST)
Hello,
If possible, we would like to obtain a CVE-ID for the following security issue.

An out-of-bounds memory access flaw was found in USBVision USB Camera Driver in
usbvision_probe() function in drivers/media/usb/usbvision/usbvision-video.c.
The driver assumes that the interfaces numbers of the USB device are always in
0,1,2,3... order. By using a specially crafted USB device which advertises
out-of-order number on one of its interfaces an unprivileged user with a physical
access can trigger a kernel NULL pointer dereference causing the system to freeze.

Currently there is an effort to create an upstream patch for this driver fixing
this issue.

References:
http://seclists.org/bugtraq/2015/Oct/35
http://bugzilla.redhat.com/show_bug.cgi?id=1201858
http://bugzilla.redhat.com/show_bug.cgi?id=1270158

Vladis Dronov | Red Hat, Inc.
| Product Security Engineer |
Previous By Date Next
Previous By Thread Next

Current thread: