CVE-2023-53644

Summary

In the Linux kernel, the following vulnerability has been resolved:

media: radio-shark: Add endpoint checks

The syzbot fuzzer was able to provoke a WARNING from the radio-shark2 driver:

————[ cut here ]———— usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504 Code: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7 RSP: 0018:ffffc90003876dd0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac RBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001 R13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387 shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88 …

The problem was caused by the fact that the driver does not check whether the endpoints it uses are actually present and have the appropriate types. This can be fixed by adding a simple check of these endpoints (and similarly for the radio-shark driver).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8e2ce73e932b629c3e12546e5fffac7ee54d0093 < 3ed6a312ac1e7278f92b1b3d95377b335ae21e89affected
LinuxLinux8e2ce73e932b629c3e12546e5fffac7ee54d0093 < afd72825b4fcb7ae4015e1c93b054f4c37a25684affected
LinuxLinux8e2ce73e932b629c3e12546e5fffac7ee54d0093 < 2b580d0f03c4fc00013cd08f9ed96b87a08fd0d9affected
LinuxLinux8e2ce73e932b629c3e12546e5fffac7ee54d0093 < 8a30dce9d7f70f8438956f6a01142b926c301334affected
LinuxLinux8e2ce73e932b629c3e12546e5fffac7ee54d0093 < b1bde4b4360c3d8a35504443efabd3243b802805affected
LinuxLinux8e2ce73e932b629c3e12546e5fffac7ee54d0093 < 53764a17f5d8f0d00b13297d06b5e65fa844288baffected
LinuxLinux8e2ce73e932b629c3e12546e5fffac7ee54d0093 < 4c3057a1927fa0b9ed8948b6f3b56b4ff9fa63d3affected
LinuxLinux8e2ce73e932b629c3e12546e5fffac7ee54d0093 < 76e31045ba030e94e72105c01b2e98f543d175acaffected
LinuxLinux3.6affected
LinuxLinux0 < 3.6unaffected
LinuxLinux4.14.316 <= 4.14.*unaffected
LinuxLinux4.19.284 <= 4.19.*unaffected
LinuxLinux5.4.244 <= 5.4.*unaffected
LinuxLinux5.10.181 <= 5.10.*unaffected
LinuxLinux5.15.114 <= 5.15.*unaffected
LinuxLinux6.1.31 <= 6.1.*unaffected
LinuxLinux6.3.5 <= 6.3.*unaffected
LinuxLinux6.4 <= *unaffected

Weaknesses

References