From: Kalle Valo <kvalo@kernel.org>
To: Mark Esler <mark.esler@canonical.com>
Cc: color Ice <wirelessdonghack@gmail.com>,
stf_xl@wp.pl, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org,
Greg KH <gregkh@linuxfoundation.org>
Subject: Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability
Date: Sat, 03 Aug 2024 00:03:26 +0300 [thread overview]
Message-ID: <87wmky7i3l.fsf@kernel.org> (raw)
In-Reply-To: <ZqyWpovXcaAX2f5c@aeon> (Mark Esler's message of "Fri, 2 Aug 2024 03:19:50 -0500")
Mark Esler <mark.esler@canonical.com> writes:
> On Fri, Aug 02, 2024 at 03:57:47PM +0800, color Ice wrote:
>> Dear RT2X00 driver maintainers,
>>
>> We have discovered a critical vulnerability in the RT2X00 driver. We
>> recommend urgently submitting an update.
>>
>> *Vulnerability Description*: When a PC is running Ubuntu 22.04 or 24.04,
>> executing our proof of concept (POC) can directly cause a null pointer
>> dereference or use-after-free (UAF). The systems we tested were:
>>
>> - *Description*: Ubuntu 22.04.4 LTS *Release*: 22.04
>> - *Description*: Ubuntu 24.04 LTS *Release*: 24.04
>>
>> We tested network cards from the RT2870/RT3070/RT5370 series, which all
>> belong to the RT2X00 driver group, and all were able to trigger the
>> vulnerability. Additionally, executing the POC requires only user-level
>> privileges. Debian systems are not affected.
>
> It is unclear if Ubuntu is the only affected distro.
It's also unclear how this works as there's no description about the
issue. I'm not going to run any scripts and I don't know how python
usb.core package works. I guess it needs root privileges to be able to
send these USB commands?
If this really is a security vulnerability, here are the instructions
how to report them:
https://docs.kernel.org/process/security-bugs.html
Also adding Greg.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2024-08-02 21:03 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 7:57 Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability color Ice
2024-08-02 8:19 ` Mark Esler
2024-08-02 21:03 ` Kalle Valo [this message]
2024-08-03 5:42 ` color Ice
2024-08-03 6:31 ` Greg KH
2024-08-03 7:57 ` LidongLI
2024-08-05 2:18 ` LidongLI
2024-08-05 2:20 ` LidongLI
2024-08-05 6:55 ` Greg KH
2024-08-05 8:33 ` LidongLI
2024-08-05 18:33 ` Greg KH
2024-08-05 18:37 ` Greg KH
2024-08-06 1:59 ` LidongLI
2024-08-06 3:06 ` Theodore Ts'o
2024-08-06 13:38 ` Alan Stern
[not found] ` <CAOV16XF8cEg7+HAFQiCUrt9-Dp4M+-TANjQqRXH87AAdgzmNMg@mail.gmail.com>
2024-08-06 18:36 ` Alan Stern
2024-08-07 1:56 ` color Ice
2024-08-06 2:34 ` LidongLI
2024-08-06 3:54 ` LidongLI
2024-08-06 6:34 ` Greg KH
2024-08-06 6:35 ` Greg KH
2024-08-06 12:45 ` Theodore Ts'o
2024-08-07 2:11 ` LidongLI
2024-08-14 5:58 ` LidongLI
2024-08-14 14:55 ` Alan Stern
2024-08-19 10:49 ` color Ice
2024-08-19 10:56 ` Greg KH
[not found] ` <CAOV16XFYeWdT4tSpLWoE+pCVsNERXKJQCJvJovrfsgMn1PMzbA@mail.gmail.com>
2024-08-19 17:43 ` Greg KH
2024-08-21 8:25 ` color Ice
2024-08-21 14:06 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wmky7i3l.fsf@kernel.org \
--to=kvalo@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mark.esler@canonical.com \
--cc=stf_xl@wp.pl \
--cc=wirelessdonghack@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.