Allele Security Alert
ASA-2019-00637
Identifier(s)
ASA-2019-00637, CVE-2019-18813, CID-9bbfceea12a8
Title
Memory leak in dwc3_pci_probe()
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel upstream versions before 5.4
Linux kernel stable versions 5.3.x before 5.3.11
Linux kernel stable versions 4.19.x before 4.19.84
Linux kernel versions with the following commit applied:
usb: dwc3: pci: Supply device properties via driver data
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1a7b12f69a9434a766e77c43d113826f0413b032
Fixed version(s)
Linux kernel upstream version 5.4
Linux kernel stable version 5.3.11
Linux kernel stable version 4.19.84
Linux kernel versions with the following commit applied:
usb: dwc3: pci: prevent memory leak in dwc3_pci_probe
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9bbfceea12a8f145097a27d7c7267af25893c060
Proof of concept
Unknown
Description
A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures.
Technical details
Unknown
Credits
Navid Emamdoost
Reference(s)
usb: dwc3: pci: prevent memory leak in dwc3_pci_probe
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9bbfceea12a8f145097a27d7c7267af25893c060
usb: dwc3: pci: Supply device properties via driver data
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1a7b12f69a9434a766e77c43d113826f0413b032
usb: dwc3: pci: prevent memory leak in dwc3_pci_probe
https://github.com/torvalds/linux/commit/9bbfceea12a8f145097a27d7c7267af25893c060
usb: dwc3: pci: Supply device properties via driver data
https://github.com/torvalds/linux/commit/1a7b12f69a9434a766e77c43d113826f0413b032
Linux 5.4
https://lkml.org/lkml/2019/11/24/187
Linux 5.4-rc6
https://lkml.org/lkml/2019/11/3/208
Linux 5.3.11
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.11
Linux 4.19.84
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.84
CVE-2019-18813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18813
CVE-2019-18813
https://nvd.nist.gov/vuln/detail/CVE-2019-18813
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 25, 2019