CVE-2022-50876

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: musb: Fix musb_gadget.c rxstate overflow bug

The usb function device call musb_gadget_queue() adds the passed request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) and (is_buffer_mapped(req) return false),the rxstate() will copy all data in fifo to request->buf which may cause request->buf out of bounds.

Fix it by add the length check : fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);

Affected Software

VendorProductVersion RangeStatus
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < 826f84ab04a5cafe484ea9c2c85a3930068e5cb7affected
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < a1008c8b9f357691ce6a8fdb8f157aecb2d79167affected
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < 7c80f3a918ba9aa26fb699ee887064ec3af0396aaffected
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < d6afcab1b48f4051211c50145b9e91be3b1b42c9affected
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < acf0006f2b2b2ca672988875fd154429aafb2a9baffected
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < 3c84c7f592c4ba38f54ddaddd0115acc443025dbaffected
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96affected
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < 523313881f0aa5cbbdb548ce575b6e58b202bd76affected
LinuxLinux03840fad004ce8a56bc8b3bb60a2df10f6f9481e < eea4c860c3b366369eff0489d94ee4f0571d467daffected
LinuxLinux4.3affected
LinuxLinux0 < 4.3unaffected
LinuxLinux4.9.331 <= 4.9.*unaffected
LinuxLinux4.14.296 <= 4.14.*unaffected
LinuxLinux4.19.262 <= 4.19.*unaffected
LinuxLinux5.4.220 <= 5.4.*unaffected
LinuxLinux5.10.150 <= 5.10.*unaffected
LinuxLinux5.15.75 <= 5.15.*unaffected
LinuxLinux5.19.17 <= 5.19.*unaffected
LinuxLinux6.0.3 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

References