CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48838 – usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
https://notcve.org/view.php?id=CVE-2022-48838
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320 Read of size 8 at addr ffff88802b934098 by task udevd/3689 CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 dev_uevent+0x712/0x780 drivers/base/core.c:2320 uevent_show+0x1b8/0x380 drivers/base/core.c:2391 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 Although the bug manifested in the driver core, the real cause was a race with the gadget core. dev_uevent() does: if (dev->driver) add_uevent_var(env, "DRIVER=%s", dev->driver->name); and between the test and the dereference of dev->driver, the gadget core sets dev->driver to NULL. The race wouldn't occur if the gadget core registered its devices on a real bus, using the standard synchronization techniques of the driver core. However, it's not necessary to make such a large change in order to fix this bug; all we need to do is make sure that udc->dev.driver is always NULL. In fact, there is no reason for udc->dev.driver ever to be set to anything, let alone to the value it currently gets: the address of the gadget's driver. After all, a gadget driver only knows how to manage a gadget, not how to manage a UDC. This patch simply removes the statements in the gadget core that touch udc->dev.driver. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: corrige el error de use-after-free al no configurar udc->dev.driver El syzbot fuzzer encontró un error de use-after-free: ERROR: KASAN: uso- after-free en dev_uevent+0x712/0x780 drivers/base/core.c:2320 Lectura de tamaño 8 en addr ffff88802b934098 por tarea udevd/3689 CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229 -g4f12b742eb2b #0 Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS 1.14.0-2 01/04/2014 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0xcd/ 0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [en línea] kasan_report.cold+0x83/0xdf mm/ kasan/report.c:459 dev_uevent+0x712/0x780 drivers/base/core.c:2320 uevent_show+0x1b8/0x380 drivers/base/core.c:2391 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 Aunque El error se manifestó en el núcleo del controlador, la verdadera causa fue una ejecución con el núcleo del dispositivo. dev_uevent() hace: if (dev->driver) add_uevent_var(env, "DRIVER=%s", dev->driver->name); y entre la prueba y la desreferencia de dev->driver, el núcleo del gadget establece dev->driver en NULL. • https://git.kernel.org/stable/c/2ccea03a8f7ec93641791f2760d7cdc6cab6205f https://git.kernel.org/stable/c/4325124dde6726267813c736fee61226f1d38f0b https://git.kernel.org/stable/c/e2d3a7009e505e120805f449c832942660f3f7f3 https://git.kernel.org/stable/c/609a7119bffe3ddd7c93f2fa65be8917e02a0b7e https://git.kernel.org/stable/c/2282a6eb6d4e118e294e43dcc421e0e0fe4040b5 https://git.kernel.org/stable/c/00bdd9bf1ac6d401ad926d3d8df41b9f1399f646 https://git.kernel.org/stable/c/2015c23610cd0efadaeca4d3a8d1dae9a45aa35a https://git.kernel.org/stable/c/27d64436984fb8835a8b7e95993193cc4 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48837 – usb: gadget: rndis: prevent integer overflow in rndis_set_response()
https://notcve.org/view.php?id=CVE-2022-48837
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: prevent integer overflow in rndis_set_response() If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: usb: gadget:rndis: previene el desbordamiento de enteros en rndis_set_response() Si "BufOffset" es muy grande la operación "BufOffset + 8" puede tener un desbordamiento de enteros. • https://git.kernel.org/stable/c/ff0a90739925734c91c7e39befe3f4378e0c1369 https://git.kernel.org/stable/c/4c22fbcef778badb00fb8bb9f409daa29811c175 https://git.kernel.org/stable/c/db9aaa3026298d652e98f777bc0f5756e2455dda https://git.kernel.org/stable/c/c9e952871ae47af784b4aef0a77db02e557074d6 https://git.kernel.org/stable/c/fb4ff0f96de37c44236598e8b53fe43b1df36bf3 https://git.kernel.org/stable/c/2da3b0ab54fb7f4d7c5a82757246d0ee33a47197 https://git.kernel.org/stable/c/2724ebafda0a8df08a9cb91557d33226bee80f7b https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7 • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2022-48836 – Input: aiptek - properly check endpoint type
https://notcve.org/view.php?id=CVE-2022-48836
In the Linux kernel, the following vulnerability has been resolved: Input: aiptek - properly check endpoint type Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint. Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints Fail log: usb 5-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: <TASK> aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 • https://git.kernel.org/stable/c/8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 https://git.kernel.org/stable/c/90eb3c037fe3f0f25f01713a92725a8daa2b41f3 https://git.kernel.org/stable/c/a7c0ba06670f99c252d5bb74258dddbf50fef837 https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821 https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6 https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48835 – scsi: mpt3sas: Page fault in reply q processing
https://notcve.org/view.php?id=CVE-2022-48835
In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Page fault in reply q processing A page fault was encountered in mpt3sas on a LUN reset error path: [ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) [ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) [ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) [ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00 [ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0) [ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0) [ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002) [ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d [ 149.885617] #PF: supervisor read access in kernel mode [ 149.894346] #PF: error_code(0x0000) - not-present page [ 149.903123] PGD 0 P4D 0 [ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1 [ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021 [ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas] [ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee [ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246 [ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071 [ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8 [ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff [ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000 [ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80 [ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000 [ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0 [ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 150.108323] PKRU: 55555554 [ 150.114690] Call Trace: [ 150.120497] ? printk+0x48/0x4a [ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas] [ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas] [ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas] [ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod] [ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod] [ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.178925] ? • https://git.kernel.org/stable/c/711a923c14d9a48d15a30a2c085184954bf04931 https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413 https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05 https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3 • CWE-763: Release of Invalid Pointer or Reference •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48834 – usb: usbtmc: Fix bug in pipe direction for control transfers
https://notcve.org/view.php?id=CVE-2022-48834
In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Call Trace: <TASK> usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline] The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for all of its transfers, whether they are in or out. It's easy to fix. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: usbtmc: corrige un error en la dirección de la tubería para las transferencias de control. El syzbot fuzzer informó un error menor en el controlador usbtmc: usb 5-1: directorio de control BOGUS, la tubería 80001e80 no coincide con bRequestType 0 ADVERTENCIA: CPU: 0 PID: 3813 en drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Módulos vinculados en: CPU: 0 PID: 3813 Comm : syz-executor122 No contaminado 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Seguimiento de llamadas: usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core /message.c:102 [en línea] usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [en línea] El problema es que usbtmc_ioctl_request() usa usb_rcvctrlpipe( ) para todas sus transferencias, ya sean de entrada o de salida. • https://git.kernel.org/stable/c/700a0715854c1e79a73341724ce4f5bb01abc016 https://git.kernel.org/stable/c/10a805334a11acd547602d6c4cf540a0f6ab5c6e https://git.kernel.org/stable/c/c69aef9db878ab277068a8cc1b4bf0cf309dc2b7 https://git.kernel.org/stable/c/5f6a2d63c68c12cf61259df7c3527a0e05dce952 https://git.kernel.org/stable/c/e9b667a82cdcfe21d590344447d65daed52b353b •