From: Kalle Valo <kvalo@kernel.org>
To: Mark Esler <mark.esler@canonical.com>
Cc: color Ice <wirelessdonghack@gmail.com>,
stf_xl@wp.pl, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org,
Greg KH <gregkh@linuxfoundation.org>
Subject: Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability
Date: Sat, 03 Aug 2024 00:03:26 +0300 [thread overview]
Message-ID: <87wmky7i3l.fsf@kernel.org> (raw)
In-Reply-To: <ZqyWpovXcaAX2f5c@aeon> (Mark Esler's message of "Fri, 2 Aug 2024 03:19:50 -0500")
Mark Esler <mark.esler@canonical.com> writes:
> On Fri, Aug 02, 2024 at 03:57:47PM +0800, color Ice wrote:
>> Dear RT2X00 driver maintainers,
>>
>> We have discovered a critical vulnerability in the RT2X00 driver. We
>> recommend urgently submitting an update.
>>
>> *Vulnerability Description*: When a PC is running Ubuntu 22.04 or 24.04,
>> executing our proof of concept (POC) can directly cause a null pointer
>> dereference or use-after-free (UAF). The systems we tested were:
>>
>> - *Description*: Ubuntu 22.04.4 LTS *Release*: 22.04
>> - *Description*: Ubuntu 24.04 LTS *Release*: 24.04
>>
>> We tested network cards from the RT2870/RT3070/RT5370 series, which all
>> belong to the RT2X00 driver group, and all were able to trigger the
>> vulnerability. Additionally, executing the POC requires only user-level
>> privileges. Debian systems are not affected.
>
> It is unclear if Ubuntu is the only affected distro.
It's also unclear how this works as there's no description about the
issue. I'm not going to run any scripts and I don't know how python
usb.core package works. I guess it needs root privileges to be able to
send these USB commands?
If this really is a security vulnerability, here are the instructions
how to report them:
https://docs.kernel.org/process/security-bugs.html
Also adding Greg.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2024-08-02 21:03 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 7:57 Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability color Ice
2024-08-02 8:19 ` Mark Esler
2024-08-02 21:03 ` Kalle Valo [this message]
2024-08-03 5:42 ` color Ice
2024-08-03 6:31 ` Greg KH
2024-08-03 7:57 ` LidongLI
2024-08-05 2:18 ` LidongLI
2024-08-05 2:20 ` LidongLI
2024-08-05 6:55 ` Greg KH
2024-08-05 8:33 ` LidongLI
2024-08-05 18:33 ` Greg KH
2024-08-05 18:37 ` Greg KH
2024-08-06 1:59 ` LidongLI
2024-08-06 3:06 ` Theodore Ts'o
2024-08-06 13:38 ` Alan Stern
[not found] ` <CAOV16XF8cEg7+HAFQiCUrt9-Dp4M+-TANjQqRXH87AAdgzmNMg@mail.gmail.com>
2024-08-06 18:36 ` Alan Stern
2024-08-07 1:56 ` color Ice
2024-08-06 2:34 ` LidongLI
2024-08-06 3:54 ` LidongLI
2024-08-06 6:34 ` Greg KH
2024-08-06 6:35 ` Greg KH
2024-08-06 12:45 ` Theodore Ts'o
2024-08-07 2:11 ` LidongLI
2024-08-14 5:58 ` LidongLI
2024-08-14 14:55 ` Alan Stern
2024-08-19 10:49 ` color Ice
2024-08-19 10:56 ` Greg KH
[not found] ` <CAOV16XFYeWdT4tSpLWoE+pCVsNERXKJQCJvJovrfsgMn1PMzbA@mail.gmail.com>
2024-08-19 17:43 ` Greg KH
2024-08-21 8:25 ` color Ice
2024-08-21 14:06 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wmky7i3l.fsf@kernel.org \
--to=kvalo@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mark.esler@canonical.com \
--cc=stf_xl@wp.pl \
--cc=wirelessdonghack@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).