From: "Bjørn Mork" <bjorn@mork.no>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: Jiri Slaby <jslaby@suse.cz>, LKML <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>,
lwn@lwn.net
Subject: Re: stable-security kernel updates
Date: Thu, 21 Apr 2016 14:26:42 +0200 [thread overview]
Message-ID: <87twiv2lml.fsf@nemi.mork.no> (raw)
In-Reply-To: <5718B57D.4000504@oracle.com> (Sasha Levin's message of "Thu, 21 Apr 2016 07:11:57 -0400")
Sasha Levin <sasha.levin@oracle.com> writes:
> On 04/21/2016 02:43 AM, Jiri Slaby wrote:
>
>> Input: powermate - fix oops with malicious USB descriptors
>
> This requires physical access to the machine.
You wish.
Say you have some internal USB connected device with replacable
firmware. LTE modem, fingerprint reader, webcam - you name it. How do
you know that this cannot be abused to impersonate some other USB
device? Yes, changing the firmware of those devices should of course
require admin privileges. But is that always so? Writing firmware to a
modem, for example, is typically done over a serial device similar to
the one used for normal modem operations. Privileges necessary to manage
the modem will also include changing the firmware. Physical access is
not necessary.
Do you trust the firmware protection of all your non-removable USB
devices?
Bjørn
next prev parent reply other threads:[~2016-04-21 12:27 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-20 19:50 stable-security kernel updates Sasha Levin
2016-04-21 6:43 ` Jiri Slaby
2016-04-21 7:11 ` Willy Tarreau
2016-04-21 11:27 ` Sasha Levin
2016-04-21 12:36 ` Greg KH
2016-04-21 14:01 ` Sasha Levin
2016-04-21 14:12 ` Willy Tarreau
2016-04-21 11:11 ` Sasha Levin
2016-04-21 11:59 ` Jiri Slaby
2016-04-21 12:05 ` Jiri Slaby
2016-04-21 12:39 ` Greg KH
2016-04-21 12:50 ` Willy Tarreau
2016-04-21 13:54 ` Sasha Levin
2016-04-21 14:13 ` Jiri Slaby
2016-04-21 14:19 ` Willy Tarreau
2016-04-21 14:27 ` Sasha Levin
2016-04-21 14:33 ` Willy Tarreau
2016-04-25 23:14 ` Ben Hutchings
2016-04-26 4:40 ` Willy Tarreau
2016-04-21 13:53 ` Sasha Levin
2016-04-21 14:54 ` Jiri Slaby
2016-04-21 15:50 ` Sasha Levin
2016-04-21 19:32 ` Sasha Levin
2016-04-21 12:26 ` Bjørn Mork [this message]
2016-04-21 12:56 ` Willy Tarreau
2016-04-21 14:16 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87twiv2lml.fsf@nemi.mork.no \
--to=bjorn@mork.no \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=lwn@lwn.net \
--cc=sasha.levin@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).