found_bugs_usb.md

Found Linux kernel USB bugs

USB drivers

• usb/core: memory corruption due to an out-of-bounds access in usb_destroy_configuration [fix] [CVE-2017-17558]
• usb/net/zd1211rw: possible deadlock in zd_chip_disable_rxtx
• usb/sound: use-after-free in __uac_clock_find_source [fix]
• usb/sound: slab-out-of-bounds in parse_audio_unit [fix]
• usb/media/em28xx: use-after-free in dvb_unregister_frontend [fix]
• usb/media/technisat: slab-out-of-bounds in technisat_usb2_rc_query
• usb/media/tm6000: use-after-free in tm6000_read_write_usb
• usb/net/qmi_wwan: divide error in qmi_wwan_probe/usbnet_probe [fix1, fix2] [CVE-2017-16649, CVE-2017-16650]
• usb/media/uvc: slab-out-of-bounds in uvc_probe
• usb/media/em28xx: use-after-free in em28xx_dvb_fini
• usb/media/em28xx: use-after-free in v4l2_fh_init
• usb/media/pvrusb2: WARNING in pvr2_i2c_core_done/sysfs_remove_group
• usb/sound/usx2y: WARNING in usb_stream_start [fix]
• usb/net/hfa384x: WARNING in submit_rx_urb/usb_submit_urb
• usb/media/dw2102: null-ptr-deref in dvb_usb_adapter_frontend_init/tt_s2_4600_frontend_attach
• usb/net/asix: kernel hang in asix_phy_reset
• usb/media/dtt200u: use-after-free in __dvb_frontend_free [fix] [CVE-2017-16648]
• usb/media/mxl111sf: trying to register non-static key in mxl111sf_ctrl_msg
• usb/media/au0828: use-after-free in au0828_rc_unregister
• usb/input/gtco: slab-out-of-bounds in parse_hid_report_descriptor [fix] [CVE-2017-16643]
• usb/core: slab-out-of-bounds in usb_get_bos_descriptor [fix] [CVE-2017-16535]
• usb/net/asix: null-ptr-deref in asix_suspend [fix] [CVE-2017-16647]
• usb/net/rt2x00: warning in rt2800_eeprom_word_index
• usb/irda: global-out-of-bounds in irda_qos_bits_to_value
• usb/media/imon: global-out-of-bounds in imon_probe/imon_init_intf0
• usb/sound: use-after-free in snd_usb_mixer_interrupt [fix] [CVE-2017-16527]
• usb/net/rtlwifi: trying to register non-static key in rtl_c2hcmd_launcher
• usb/net/prism2usb: warning in hfa384x_usbctlxq_run/usb_submit_urb
• usb/nfs/pn533: use-after-free in pn533_send_complete
• usb/media/imon: null-ptr-deref in imon_probe [fix] [CVE-2017-16537]
• usb/net/prism2usb: warning in hfa384x_drvr_start/usb_submit_urb
• usb/net/ath6kl: GPF in ath6kl_usb_alloc_urb_from_pipe
• usb/net/ar5523: warning in ar5523_submit_rx_cmd/usb_submit_urb
• usb/media/uvc: BUG in uvc_mc_create_links/media_create_pad_link
• usb/media/v4l2: use-after-free in video_unregister_device/device_del
• usb/serial/visor: slab-out-of-bounds in palm_os_3_probe [fix on the way]
• usb/misc/usbtest: null-ptr-deref in usbtest_probe/get_endpoints [fix] [CVE-2017-16532]
• usb/misc/ims-pcu: slab-out-of-bounds in ims_pcu_parse_cdc_data [fix] [CVE-2017-16645]
• usb/serial: use-after-free in usb_serial_disconnect/__lock_acquire [fix1, fix2] [CVE-2017-16525]
• usb/misc/rio500: double-free or invalid-free in disconnect_rio
• usb/sound/caiaq: warning in init_card/usb_submit_urb [fix]
• usb/input/aiptek: warning in aiptek_open/usb_submit_urb
• usb/net/lan78xx: use-after-free in lan78xx_write_reg
• usb/media/b2c2: GPF in flexcop_usb_transfer_init
• usb/media/uvc: warning in uvc_scan_chain_forward/__list_add
• usb/sound/line6: trying to register non-static key in podhd_disconnect
• usb/sound/line6: warning in line6_start_listen/usb_submit_urb [fix]
• usb/media/lmedm04: GPF in lme2510_int_read/usb_pipe_endpoint [fix1, fix2] [CVE-2017-16538]
• usb/sound/bcd2000: warning in bcd2000_idrivers/usb/serial/usb-serial.cnit_device [fix]
• usb/wireless/rsi_91x: use-after-free write in __run_timers
• usb/media/zr364xx: GPF in zr364xx_vidioc_querycap/strlcpy
• usb/media/stkwebcam: use-after-free in v4l2_ctrl_handler_free
• usb/media/dib0700: BUG in stk7070p_frontend_attach/symbol_put_addr [fix] [CVE-2017-16646]
• usb/sounds: slab-out-of-bounds read in snd_usb_create_streams [fix] [CVE-2017-16529]
• usb/media/hdpvr: trying to register non-static key in hdpvr_probe [fix] [CVE-2017-16644]
• usb/net/hso: warning in hso_free_net_device
• usb/net/hso: global-out-of-bounds in hso_probe
• usb/media/smsusb: use-after-free in worker_thread
• usb/storage/uas: slab-out-of-bounds in uas_probe [fix] [CVE-2017-16530]
• usb/sound/usx2y: warning in usb_stream_new/__alloc_pages_slowpath [fix]
• usb/media/pvrusb2: warning in pvr2_send_request_ex/usb_submit_urb [fix]
• usb/media/smsusb: null-ptr-deref in smsusb_init_device
• usb/media/cx231xx: null-ptr-deref in cx231xx_usb_probe [fix] [CVE-2017-16536]
• usb/net/p54: trying to register non-static key in p54_unregister_leds [fix]
• usb/core: slab-out-of-bounds read in cdc_parse_cdc_header [fix] [CVE-2017-16534]
• usb/hid: slab-out-of-bounds read in usbhid_parse [fix] [CVE-2017-16533]
• usb/core: slab-out-of-bounds in usb_set_configuration [fix] [CVE-2017-16531]
• usb/uwb: WARNING in hwarc_neep_init/usb_submit_urb [fix]
• usb/uwb: GPF in uwbd_start [fix] [CVE-2017-16526]
• usb/joystick: warnings in xpad_start_input and xpad_try_sending_next_out_packet [fix]
• usb/midi: use-after-free in snd_rawmidi_dev_seq_free [fix] [CVE-2017-16528]
• usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns [fix]

GadgetFS

• usb/gadget: stalls in dummy_timer / usbtouch_probe [fix]
• usb/gadget: null-ptr-deref in dev_ioctl [fix]
• usb/gadget: copy_to_user called with spinlock held [fix]
• usb/gadget: potential deadlock in gadgetfs_suspend [fix]
• usb/gadget: another GPF in usb_gadget_unregister_driver [fix]
• usb/gadget: warning in ep_write_iter/__alloc_pages_nodemask [fix]
• usb/gadget: slab-out-of-bounds write in dev_config [fix]
• usb/gadget: warning in dummy_free_request [fix]
• usb/gadget: poor checks of wTotalLength in config descriptors [fix]
• usb/gadget: use-after-free in gadgetfs_setup [fix]
• usb/gadget: GPF in usb_gadget_unregister_driver [fix]
• usb/gadget: warning in dev_config/memdup_user [fix]