Bug 978445

Summary: VUL-1: CVE-2016-4482: kernel: usbfs leaking three bytes per syscall to user space
Product: [Novell Products] SUSE Security Incidents Reporter: Oliver Neukum <oneukum>
Component: IncidentsAssignee: Oliver Neukum <oneukum>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-4482:1.9:(AV:L/AC:M/Au:N/C:P/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Oliver Neukum 2016-05-04 11:05:43 UTC
This is from upstream. It is only three bytes per call, but the call can be endlessly repeated. The leaked bytes come from the stack. All our trees are affected.

commit 681fef8380eb818c0b845fca5d2ab1dcbab114ee
Author: Kangjie Lu <kangjielu@gmail.com>
Date:   Tue May 3 16:32:16 2016 -0400

    USB: usbfs: fix potential infoleak in devio
Comment 1 Marcus Meissner 2016-05-04 12:32:47 UTC
cve was already requested.
Comment 2 Marcus Meissner 2016-05-04 13:22:26 UTC
i think this is the issue:

> In the USB module (drivers/usb/core/devio.c), The stack object "ci" has a
> total
> size of 8 bytes. Its last 3 bytes are padding bytes which are not
> initialized and
> leaked to userland
> 
> http://www.spinics.net/lists/linux-usb/msg140243.html
> 
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/log/drivers/usb/core/devio.c
> (not yet there; probably soon)

Use CVE-2016-4482.


(already dup)

*** This bug has been marked as a duplicate of bug 978401 ***
Comment 3 Swamp Workflow Management 2016-08-24 13:17:52 UTC
openSUSE-SU-2016:2144-1: An update that solves 53 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 901754,941113,942702,945219,955654,957052,957988,959709,960561,961512,963762,963765,966245,966437,966693,966849,967972,967973,967974,967975,968010,968011,968012,968013,968018,968670,969354,969355,970114,970275,970892,970909,970911,970948,970955,970956,970958,970970,971124,971125,971126,971360,971628,971799,971919,971944,972174,973378,973570,974308,974418,974646,975945,978401,978445,978469,978821,978822,979021,979213,979548,979867,979879,979913,980348,980363,980371,980725,981267,982706,983143,983213,984464,984755,984764,986362,986365,986377,986572,986573,986811
CVE References: CVE-2012-6701,CVE-2013-7446,CVE-2014-9904,CVE-2015-3288,CVE-2015-6526,CVE-2015-7566,CVE-2015-8709,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2015-8830,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2187,CVE-2016-2188,CVE-2016-2384,CVE-2016-2543,CVE-2016-2544,CVE-2016-2545,CVE-2016-2546,CVE-2016-2547,CVE-2016-2548,CVE-2016-2549,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-3672,CVE-2016-3689,CVE-2016-3951,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4581,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-5244,CVE-2016-5829
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.20.3, cloop-2.639-14.20.3, crash-7.0.8-20.3, hdjmod-1.28-18.21.3, ipset-6.23-20.3, kernel-debug-3.16.7-42.1, kernel-default-3.16.7-42.1, kernel-desktop-3.16.7-42.1, kernel-docs-3.16.7-42.2, kernel-ec2-3.16.7-42.1, kernel-obs-build-3.16.7-42.2, kernel-obs-qa-3.16.7-42.1, kernel-obs-qa-xen-3.16.7-42.1, kernel-pae-3.16.7-42.1, kernel-source-3.16.7-42.1, kernel-syms-3.16.7-42.1, kernel-vanilla-3.16.7-42.1, kernel-xen-3.16.7-42.1, pcfclock-0.44-260.20.2, vhba-kmp-20140629-2.20.2, virtualbox-5.0.20-48.5, xen-4.4.4_02-46.2, xtables-addons-2.6-22.3