Skip to content
  • Home
  • About
  • Services
    • Vulnerability and Threat Intelligence
    • Threat Modeling and Risk Assessment
    • Penetration Testing
    • Source Code Review
    • Security Research
    • Security Consulting
  • Training
    • Kernel exploitation
      • Training – November 2019
    • Kernel development
    • Userland exploitation
  • Labs
    • Exploits
    • Publications
    • Security Alerts
      • Latest Security Alerts
      • Latest Modified Security Alerts
      • Latest Ordered Security Alerts
      • Search Security Alert
  • Blog
  • Contact
  • Language
    • English
    • Português

Allele Security Intelligence

Efficient information security services

ASA-2018-00068 – Linux kernel: Use-after-free in usb_audio_probe()

Posted on December 7, 2018October 10, 2019 by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00068

Identifier(s)

ASA-2018-00068, CVE-2018-19824

Title

Use-after-free in usb_audio_probe()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 4.20

Linux kernel versions before 4.9.145
Linux kernel versions before 4.19.9
Linux kernel versions before 4.14.88
Linux kernel versions before 4.4.167
Linux kernel versions before 3.16.63

Fixed version(s)

Linux kernel version 4.20

Linux kernel version 4.9.145
Linux kernel version 4.19.9
Linux kernel version 4.14.88
Linux kernel version 4.4.167
Linux kernel version 3.16.63

Proof of concept

Unknown

Description

There is a use-after-free vulnerability in usb_audio_probe(). This function accesses a freed object when decrementing its reference counter. The attacker needs local access to plug in a malicious USB device in order to exploit the vulnerability.

Technical details

If a USB sound card reports 0 interface, an error condition is triggered and the function usb_audio_probe() errors out. In the error path, there was a use-after-free vulnerability where the memory object of the card was first freed, followed by a decrement of the number of active chips.

File: sound/usb/card.c
---
 __error:
if (chip) {
+ /* chip->active is inside the chip->card object,
+ * decrement before memory is possibly returned.
+ */
+ atomic_dec(&chip->active);
if (!chip->num_interfaces)
snd_card_free(chip->card);
- atomic_dec(&chip->active);
}
mutex_unlock(&register_mutex);
return err;
---

Credits

Mathias Payer

Reference(s)

UAF write in usb_audio_probe
https://seclists.org/oss-sec/2018/q4/197

ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
https://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git/commit/?id=5f8cf712582617d523120df67d392059eaf2fc4b

ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
https://github.com/torvalds/linux/commit/5f8cf712582617d523120df67d392059eaf2fc4b

ChangeLog-4.9.145
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.145

ChangeLog-4.19.9
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.9

ChangeLog-4.14.88
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.88

ChangeLog-4.4.167
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.167

ChangeLog-3.16.63
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.63

ChangeLog-4.20
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20

CVE-2018-19824 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-19824

CVE-2018-19824 | SUSE
https://www.suse.com/security/cve/CVE-2018-19824

CVE-2018-19824
https://security-tracker.debian.org/tracker/CVE-2018-19824

CVE-2018-19824 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19824.html

CVE-2018-19824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19824

CVE-2018-19824
https://nvd.nist.gov/vuln/detail/CVE-2018-19824

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Share this:

  • Click to print (Opens in new window)
  • Click to email this to a friend (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on Telegram (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)

Like this:

Like Loading...

Related

Tagged ASA-2018-00068, CVE-2018-19824, Linux Kernel, Login Bypass, Privilege Escalation, usb_audio_probe(), Use-After-Free

Post navigation

Previous Post ASA-2018-00067 – PolicyKit: Improper handling of user with uid > INT_MAX leading to authentication bypass
Next Post ASA-2018-00069 – Kubernetes: Proxy request handling in kube-apiserver can leave vulnerable TCP connections

Archives

  • May 2020 (1)
  • March 2020 (1)
  • February 2020 (5)
  • December 2019 (33)
  • November 2019 (28)
  • October 2019 (54)
  • September 2019 (25)
  • August 2019 (46)
  • July 2019 (77)
  • June 2019 (95)
  • May 2019 (68)
  • April 2019 (77)
  • March 2019 (49)
  • February 2019 (78)
  • January 2019 (36)
  • December 2018 (38)
  • November 2018 (44)
  • October 2018 (20)
  • September 2018 (1)
  • August 2018 (1)

Tags

Apache HTTP Server (13) Apache Software Foundation (19) Arbitrary Code Execution (43) Arbitrary File Read (6) Authenticated User (13) Authentication Bypass (7) BIND (9) BIOS (9) Buffer Overflow (23) Code Execution (11) Command Injection (9) Cross-Site Request Forgery (13) Cross-Site Scripting (42) Cross-Site Scripting (XSS) (48) CSRF (12) curl (11) Das U-Boot (13) Dell (6) Denial of Service (DoS) (113) Deserialization (8) Firmware (8) FreeBSD (24) FreeRDP (6) Git (9) GitLab (15) Gitlab Community Edition (12) Gitlab Enterprise Edition (13) Go (7) Heap Buffer Overflow (23) IBM (13) IBM Sterling B2B Integrator Standard Edition (7) Improper Permissions (9) Information Disclosure (64) Integer Overflow (20) Intel (40) INTEL-SA-00248 (9) INTEL-SA-00264 (7) Intel Computer Card (7) Intel Computer Stick (7) Intel NUC (10) Intel Open CIT (8) Intel Open Cloud Integrity Technology (8) Jenkins (46) Joomla (10) Kubernetes (12) libssh2 (9) Linux (33) Linux Kernel (44) Local Access (27) MacOS (10) Magento (40) Memory Corruption (23) Memory Leak (13) mfsa2019-21 (21) MikroTik (10) MikroTik RouterOS (8) Mozilla (20) Mozilla Firefox (22) Mozilla Firefox ESR (8) Mozilla Thunderbird (11) NFS (7) NGINX (8) NULL Pointer Dereference (10) OpenBSD (11) OpenSSL (13) Out-Of-Bounds Read (41) Out-Of-Bounds Write (23) PIA (9) Private Internet Access (9) Privilege Escalation (99) Race Condition (12) rdesktop (19) Remote Code Execution (RCE) (64) rubygems (7) Samba (15) Sandbox Bypass (8) Security Bypass (7) Side Channel (8) SQL Injection (7) Stack Buffer Overflow (10) Stored Cross-Site Scripting (14) systemd (7) TCP (10) TYPO3 (32) TYPO3 CMS (7) Unbounded memcpy (7) Use-After-Free (27) VMware (25) VMware ESXI (9) VMware Fusion (8) VMware vCenter Server (6) VMware Workstation (9) WebKit (20) WebKitGTK (20) Windows (12) Wind River (11) Wind River VxWorks (11) WPE Webkit (20) WSA-2019-0003 (20) Xen (8)
  • Twitter
  • Facebook
  • Github
  • Linkedin
  • RSS

Services

Vulnerability and Threat Intelligence

Threat Modeling and Risk Assessment

Penetration Testing

Source Code Review

Security Research

Security Consulting

Training

Kernel exploitation

Kernel development

Userland exploitation

Publications

Redução da superfície de ataque ao kernel do Linux – SEMCOMP 2019

Introdução à pesquisa em vulnerabilidades no núcleo do Linux – EnSI 2018

Introdução à pesquisa em vulnerabilidades no núcleo do Linux – RoadSec Salvador 2018

Rootkits em kernel space – Redshift, um rootkit para o kernel do FreeBSD

Public proofs of concept

CVE-2012-0217

CVE-2012-4576

latest security alerts

  • ASA-2020-00039 – Linux kernel: SELinux netlink permission check bypass due to SELinux incorrectly assume that an skb would only contain a single netlink message May 26, 2020
  • ASA-2020-00038 – Linux kernel: Memory corruption due to the lack of validation of an sk_family field in vhost subsystem March 25, 2020
  • ASA-2019-00658 – Linux kernel: Mounting a crafted btrfs filesystem image can lead to a use-after-free through syncfs system call February 17, 2020

Subscribe to our Blog

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

© 2020 Allele Security Intelligence.
All rights reserved. Privacy Policy.

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
%d bloggers like this: