Bug 1147116 (CVE-2019-15504)

Summary: VUL-1: CVE-2019-15504: kernel-source: double Free via crafted USB device traffic in rivers/net/wireless/rsi/rsi_91x_usb.c
Product: [openSUSE] openSUSE Tumbleweed Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: bpetkov, bpoirier, meissner, mkubecek, oneukum, tiwai
Version: Current   
Target Milestone: Current   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/241022/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1185852    

Description Alexandros Toptsoglou 2019-08-23 13:14:53 UTC

drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a
Double Free via crafted USB device traffic (which may be remote via usbip or

Comment 1 Alexandros Toptsoglou 2019-08-23 13:16:15 UTC
The vulnerable code can be find only in TW
Comment 2 Takashi Iwai 2019-08-26 08:44:47 UTC
Will wait for the upstream acceptance.
Comment 3 Benjamin Poirier 2019-08-26 08:49:16 UTC
Oh, actually I've already submitted the pending patch. I reviewed the change
and it seems correct to me.

Introduced in
a1854fae1414 rsi: improve RX packet handling in USB interface (v4.17-rc1)

Fix submitted

master : 5.3.0-rc6
	pushed to 8ae43d11b8f
stable : 5.2.10
	pushed to 50095550675
Comment 4 Takashi Iwai 2019-08-26 08:51:33 UTC
OK, thanks, then reassigned back to security team.
Comment 5 Benjamin Poirier 2019-09-26 02:12:07 UTC
FYI, merged upstream as
8b51dc729147 rsi: fix a double free bug in rsi_91x_deinit() (v5.3)
Comment 6 Alexandros Toptsoglou 2020-05-12 11:29:15 UTC