CVE-2023-52886
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()
Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors():
BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011
CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 … Allocated by task 758: … __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0x5e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline] usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545
As analyzed by Khazhy Kumykov, the cause of this bug is a race between read_descriptors() and hub_port_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it.
Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race.
The best way to fix the bug is to keep hub_port_init() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago.
So now hub_port_init() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hub_port_init() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read.
The changes to hub_port_init() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 218925bfd5d1436e337c4f961e9c149fbe32de6d < 9d241c5d9a9b7ad95c90c6520272fe404d5ac88f | affected |
| Linux | Linux | 77358093331e9769855140bf94a3f00ecdcf4bb1 < 7fe9d87996062f5eb0ca476ad0257f79bf43aaf5 | affected |
| Linux | Linux | c87fb861ec185fdc578b4fdc6a05920b6a843840 < 8186596a663506b1124bede9fde6f243ef9f37ee | affected |
| Linux | Linux | 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 < b4a074b1fb222164ed7d5c0b8c922dc4a0840848 | affected |
| Linux | Linux | 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 < b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5 | affected |
| Linux | Linux | 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 < ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b | affected |
| Linux | Linux | 6badaf880edf51a2da7a439699676394dfdef3e5 | affected |
| Linux | Linux | 5f35b5d3bd6914c68f743741443dfd3a64b0e455 | affected |
| Linux | Linux | a1e89c8b29d003a20ed2dae6bdae1598d1f23e42 | affected |
| Linux | Linux | 1bcb238c54a9c6dc4bded06b06ba7458a5eefa87 | affected |
| Linux | Linux | 5.10.171 < 5.10.195 | affected |
| Linux | Linux | 5.15.97 < 5.15.132 | affected |
| Linux | Linux | 6.1.15 < 6.1.53 | affected |
| Linux | Linux | 4.14.308 < 4.15 | affected |
| Linux | Linux | 4.19.275 < 4.20 | affected |
| Linux | Linux | 5.4.234 < 5.5 | affected |
| Linux | Linux | 6.2.2 < 6.3 | affected |
| Linux | Linux | 6.3 | affected |
| Linux | Linux | 0 < 6.3 | unaffected |
| Linux | Linux | 5.10.195 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.132 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.53 <= 6.1.* | unaffected |
| Linux | Linux | 6.4.16 <= 6.4.* | unaffected |
| Linux | Linux | 6.5.3 <= 6.5.* | unaffected |
| Linux | Linux | 6.6 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f
- https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5
- https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee
- https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848
- https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5
- https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f
- https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5
- https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee
- https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848
- https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5
- https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.