CVE-2021-46906

HID: usbhid: fix info leak in hid_submit_ctrl

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: usbhid: corrige fuga de información en hid_submit_ctrl En hid_submit_ctrl(), la forma de calcular la longitud del informe no tiene en cuenta que el tamaño del informe->puede ser cero. Cuando se ejecuta el reproductor syzkaller, un informe de tamaño 0 hace que hid_submit_ctrl) calcule transfer_buffer_length como 16384. Cuando esta urb se pasa a la capa central USB, KMSAN informa una fuga de información de 16384 bytes. Para solucionar este problema, primero modifique hid_report_len() para tener en cuenta el caso de tamaño de informe cero utilizando DIV_ROUND_UP para la división. Luego, llámalo desde hid_submit_ctrl().

In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl().

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-02-26 CVE Published
2024-12-19 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (8)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/c5d3c142f2d57d40c55e65d5622d319125a45366	2021-06-30
https://git.kernel.org/stable/c/41b1e71a2c57366b08dcca1a28b0d45ca69429ce	2021-06-30
https://git.kernel.org/stable/c/8c064eece9a51856f3f275104520c7e3017fc5c0	2021-06-30
https://git.kernel.org/stable/c/0e280502be1b003c3483ae03fc60dea554fcfa82	2021-06-30
https://git.kernel.org/stable/c/7f5a4b24cdbd7372770a02f23e347d7d9a9ac8f1	2021-06-18
https://git.kernel.org/stable/c/b1e3596416d74ce95cc0b7b38472329a3818f8a9	2021-06-18
https://git.kernel.org/stable/c/21883bff0fd854e07429a773ff18f1e9658f50e8	2021-06-18
https://git.kernel.org/stable/c/6be388f4a35d2ce5ef7dbf635a8964a5da7f799f	2021-05-05

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.4.274 Search vendor "Linux" for product "Linux Kernel" and version " < 4.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.9.274 Search vendor "Linux" for product "Linux Kernel" and version " < 4.9.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.14.238 Search vendor "Linux" for product "Linux Kernel" and version " < 4.14.238"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.19.196 Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.196"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.127 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.127"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.45 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.45"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.12.12 Search vendor "Linux" for product "Linux Kernel" and version " < 5.12.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.13 Search vendor "Linux" for product "Linux Kernel" and version " < 5.13"		en		Affected