Bug 1147116 - (CVE-2019-15504) VUL-1: CVE-2019-15504: kernel-source: double Free via crafted USB device traffic in rivers/net/wireless/rsi/rsi_91x_usb.c
(CVE-2019-15504)
VUL-1: CVE-2019-15504: kernel-source: double Free via crafted USB device traf...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P4 - Low : Minor (vote)
: Current
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/241022/
:
Depends on:
Blocks: 1185852
  Show dependency treegraph
 
Reported: 2019-08-23 13:14 UTC by Alexandros Toptsoglou
Modified: 2022-07-21 17:32 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-08-23 13:14:53 UTC
CVE-2019-15504

drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a
Double Free via crafted USB device traffic (which may be remote via usbip or
usbredir).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15504
https://lore.kernel.org/lkml/20190819220230.10597-1-benquike@gmail.com/
Comment 1 Alexandros Toptsoglou 2019-08-23 13:16:15 UTC
The vulnerable code can be find only in TW
Comment 2 Takashi Iwai 2019-08-26 08:44:47 UTC
Will wait for the upstream acceptance.
Comment 3 Benjamin Poirier 2019-08-26 08:49:16 UTC
Oh, actually I've already submitted the pending patch. I reviewed the change
and it seems correct to me.

Introduced in
a1854fae1414 rsi: improve RX packet handling in USB interface (v4.17-rc1)

Fix submitted
http://patchwork.ozlabs.org/patch/1149623/

master : 5.3.0-rc6
	pushed to 8ae43d11b8f
stable : 5.2.10
	pushed to 50095550675
Comment 4 Takashi Iwai 2019-08-26 08:51:33 UTC
OK, thanks, then reassigned back to security team.
Comment 5 Benjamin Poirier 2019-09-26 02:12:07 UTC
FYI, merged upstream as
8b51dc729147 rsi: fix a double free bug in rsi_91x_deinit() (v5.3)
Comment 6 Alexandros Toptsoglou 2020-05-12 11:29:15 UTC
Done