lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7E45577E4E72EC42BB3F8560D57E755145A0B82A@manexchprd01>
Date: Wed, 2 Nov 2011 13:36:40 +0000
From: "Research@...Secure" <research@...secure.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: NGS00042 Technical Advisory: Solaris 11 USB hub class descriptor
 kernel stack overflow (CVE-2011-2295)

=======
Summary
=======
Name: Solaris 11 USB hub class descriptor kernel stack overflow
Release Date:  2 November 2011
Reference: NGS00042
Discoverer: Andy Davis <andy.davis@...secure.com>
Vendor: Oracle
Vendor Reference: 
Systems Affected: Solaris 8, 9, 10, and 11 Express
Risk: High
Status: Published

========
TimeLine
========
Discovered: 27 January 2011
Released: 27 January 2011
Approved: 27 January 2011
Reported: 27 January 2011
Fixed: 19 July 2011
Published:  2 November 2011

===========
Description
===========
A local attacker can send a malformed USB hub class descriptor via a malicious USB device and trigger a kernel stack overflow

=================
Technical Details
=================
If the wMaxPacketSize field within a USB hub class Endpoint descriptor is set to a value >= 0x1125, it causes a kernel stack overflow

Jan 27 13:36:59 solaris ^Mpanic[cpu1]/thread=d742ada0: 
Jan 27 13:36:59 solaris genunix: [ID 549817 kern.notice] segkp_fault: accessing redzone
Jan 27 13:36:59 solaris unix: [ID 100000 kern.notice] Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a540
genunix:segkp_fault+238 (d1061f68, fec24c20,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a590 unix:segkmem_fault+8e (d1061f68, 
fec24c60,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a630
genunix:as_fault+4c1 (d1061f68, fec23da0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a690 unix:pagefault+1ac (d23bd000, 0, 1, 1) Jan 
27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a740 unix:trap+136f (d742a754, d23bd000,) Jan 27 13:36:59 solaris genunix: [ID 353471 
kern.notice] d742a754 unix:_cmntrap+7c (fea501b0, d1010000,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a7c8
ehci:ehci_calculate_bw_availability_mask+48 (d2089000, 2892, 0, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a838
ehci:ehci_find_bestfit_hs_mask+c8 (d2089000, d742a8fa,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a888
ehci:ehci_allocate_high_speed_bandwidth+126 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a8b8
ehci:ehci_allocate_bandwidth+21 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a918 ehci:ehci_hcdi_pipe_open+dd 
(d6c84be0, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a968
usba:usb_pipe_open+260 (d1d01cf0, d851ec70,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a998
usba:hubd_open_intr_pipe+37 (d851ec40, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a9c8
usba:hubd_check_ports+f0 (d851ec40, d1d01cf0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa38 usba:usba_hubdi_attach+43a (d1d01cf0, 
0, 0, 0) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa68
genunix:devi_attach+a5 (d1d01cf0)
Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa88 genunix:attach_node+9a (d1d01cf0, 1, d2076c) Jan 27 13:36:59 solaris genunix: [ID 
353471 kern.notice] d742aab8
genunix:i_ndi_config_node+c1 (d1d01cf0, 6, 0, d1d) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aad8 genunix:i_ddi_attachchild+3d 
(d1d01cf0, 0, d742aa) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aaf8 genunix:devi_attach_node+bb (d1d01cf0, 1020008, ) Jan 27 
13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab38
genunix:config_immediate_children+e6 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab78
genunix:ndi_busop_bus_config+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac18 usba:hubd_bus_config+dc 
(d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac48
genunix:devi_config_common+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac68
genunix:ndi_devi_config+13 (d17f3340, 1020008) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aca8 genunix:ndi_devi_online+fc (d17f3340, 
0, 0, f8a) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad18 usba:hubd_hotplug_thread+52b (e0553c50, d1db8b9c,) Jan 27 13:36:59 solaris 
genunix: [ID 353471 kern.notice] d742ad88
genunix:taskq_d_thread+a3 (d3b94410, 0)
Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad98
unix:thread_start+8 ()

===============
Fix Information
===============
This issue is addressed in the Oracle Critical Patch Update Advisory - July 2011, which is available at the following URL:
http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

NGS Secure Research
http://www.ngssecure.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ