Linux security: Google fuzzer finds ton of holes in kernel's USB subsystem

A Google-developed kernel fuzzer has helped locate dozens of Linux security flaws.
Written by Liam Tung, Contributing Writer

Video: Most secure Linux server setups vulnerable to newly discovered sudo hole

Google researcher Andrey Konovalov has revealed 14 flaws in Linux kernel USB drivers that he found using a kernel fuzzer called 'syzkaller', created by another Google security researcher, Dmitry Vyukov.

"All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine," Konovalov wrote.

The 14 vulnerabilities revealed yesterday have fixes available, but they're part of a much larger group of 79 flaws affecting the Linux kernel's USB drivers.

Currently 22 of the bugs have been assigned a CVE number. Each of these has fixes available, but many of the flaws have not been fixed.

The 14 flaws affect the Linux kernel before version 4.13.8. Most of them can be used to cause a denial of service, but a specially crafted USB device may also cause a system crash and have other "unspecified" impacts.

Though an attacker would need physical access, cybercriminals have previously dropped malware-infected USB drives in company parking lots, aiming for curious employees to insert them on a work machine.

Also, Stuxnet was designed to infect air-gapped machines by first infecting USB drives that were previously plugged into an infected machine.

Konovalov reported the first of the 79 bugs to relevant parties in December last year via a Google Groups mailing list, and has continued to update the group with new findings throughout this year. Notified parties included Google, Linux kernel developers, Intel and The Linux Foundation.

This reporting may explain why Linus Torvalds last month credited people doing "targeted fuzzing of driver subsystems" for helping find security issues.

Fuzzing involves throwing large volumes of random code at a target piece of software in an attempt to cause crashes.

Many of the bugs Konovalov circulated to the mailing list were reported in September and October, some of which were found in release candidates of the kernel version 4.14 and fixed by Linux kernel developers during the development process.

Konovalov's syzkaller reports are keeping kernel developers busy. Several of the latest USB bugs that Konovalov reported affected Linux 4.14 release candidate (RC) 8. Torvalds announced the 4.14 RC 8 release on Sunday, and by Monday Konovalov had found a handful of other USB bugs, some of which have been fixed and others not.

Torvalds said Linux 4.14.0 should be released next Sunday.

Konovalov earlier this year discovered an 11-year-old flaw in the Linux kernel using the same fuzzing tool.


Linux kernel founder Linus Torvalds recently credited people doing "targeted fuzzing of driver subsystems" for helping find security issues.

Image: Aalto University/YouTube

Previous and related coverage

Linus Torvalds says targeted fuzzing is improving Linux security

Linux 4.14 release candidate five is out. "Go out and test," says Linus Torvalds.

Google's Project Zero fuzzed top browsers for bugs: Safari users won't like the results

Google's Project Zero releases the open-source tool it used to find new bugs in major browsers.

Linux's decade-old flaw: Major distros move to patch serious kernel bug

Google fuzzer helps find 11-year-old memory-corruption flaw in the Linux kernel.

Read more about Linux security

Editorial standards