Vigil@nce - Linux kernel: denial of service via USB io_ti
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can unplug a USB-Serial converter, whereas it is
still used, in order to dereference a NULL pointer, which stops
the kernel.
Impacted products: Linux
Severity: 1/4
Creation date: 27/02/2013
DESCRIPTION OF THE VULNERABILITY
The drivers/usb/serial/io_ti.c file implements the module to
manage Edgeport converters for Serial port, which are connected on
a USB port.
The chase_port() function processes received data. However, if the
device was unplugged the variable "tty" is set to NULL, but it is
used.
A local attacker can therefore unplug a USB-Serial converter,
whereas it is still used, in order to dereference a NULL pointer,
which stops the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-USB-io-ti-12470