// For flags

CVE-2021-46906

HID: usbhid: fix info leak in hid_submit_ctrl

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

HID: usbhid: fix info leak in hid_submit_ctrl

In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.

To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: usbhid: corrige fuga de información en hid_submit_ctrl En hid_submit_ctrl(), la forma de calcular la longitud del informe no tiene en cuenta que el tamaño del informe->puede ser cero. Cuando se ejecuta el reproductor syzkaller, un informe de tamaño 0 hace que hid_submit_ctrl) calcule transfer_buffer_length como 16384. Cuando esta urb se pasa a la capa central USB, KMSAN informa una fuga de información de 16384 bytes. Para solucionar este problema, primero modifique hid_report_len() para tener en cuenta el caso de tamaño de informe cero utilizando DIV_ROUND_UP para la división. Luego, llámalo desde hid_submit_ctrl().

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-25 CVE Reserved
  • 2024-02-26 CVE Published
  • 2024-02-27 EPSS Updated
  • 2024-09-11 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 4.4.274
Search vendor "Linux" for product "Linux Kernel" and version " < 4.4.274"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 4.9.274
Search vendor "Linux" for product "Linux Kernel" and version " < 4.9.274"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 4.14.238
Search vendor "Linux" for product "Linux Kernel" and version " < 4.14.238"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 4.19.196
Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.196"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 5.4.127
Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.127"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 5.10.45
Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.45"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 5.12.12
Search vendor "Linux" for product "Linux Kernel" and version " < 5.12.12"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 5.13
Search vendor "Linux" for product "Linux Kernel" and version " < 5.13"
en
Affected