Linux Kernel Buffer Overflow in Whiteheat USB Serial Driver

[GoogleCodeExporter]

A bug exists in drivers/usb/serial/whiteheat.c that can result in a kernel 
memory corruption. The WHITEHEAT_GET_DTR_RTS command response is not verified 
correctly in the function command_port_read_callback. It assumes that the bulk 
response cannot be larger than 64 bytes, however on EHCI and XHCI this isn't 
necessarily the case. 

We consider this a security bug in the context of an attacker who gains 
short-term physical access to a running device with the goal of turning this 
into long-term remote access. 

I've attached a non-tested patch that attempts to address the issue by not 
handling responses greater than the buffer size.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 22 Aug 2014 at 6:32

Attachments:

• whiteheat.c.patch

[GoogleCodeExporter]

The patch has been fixed up and committed 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/us
b/serial/whiteheat.c?id=6817ae225cd650fb1c3295d769298c38b1eba818

Thanks for the fast response from security@kernel.org and Greg Kroah-Hartman.

Original comment by fors...@google.com on 29 Aug 2014 at 8:55

• Changed state: Fixed
• Added labels: ****
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by haw...@google.com on 11 Sep 2014 at 7:56

• Added labels: CVE-2014-3185
• Removed labels: ****