CVE-2023-52886

{"id": "CVE-2023-52886", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}]}, "published": "2024-07-16T10:15:02.493", "references": [{"url": "https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5", "tags": ["Mailing List", "Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee", "tags": ["Mailing List", "Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f", "tags": ["Mailing List", "Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848", "tags": ["Mailing List", "Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5", "tags": ["Mailing List", "Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b", "tags": ["Mailing List", "Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()\n\nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():\n\nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011\n\nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\n...\nAllocated by task 758:\n...\n __do_kmalloc_node mm/slab_common.c:966 [inline]\n __kmalloc+0x5e/0x190 mm/slab_common.c:979\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:680 [inline]\n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887\n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]\n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545\n\nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between\nread_descriptors() and hub_port_init(): The first routine uses a field\nin udev->descriptor, not expecting it to change, while the second\noverwrites it.\n\nPrior to commit 45bf39f8df7f (\"USB: core: Don't hold device lock while\nreading the \"descriptors\" sysfs file\") this race couldn't occur,\nbecause the routines were mutually exclusive thanks to the device\nlocking. Removing that locking from read_descriptors() exposed it to\nthe race.\n\nThe best way to fix the bug is to keep hub_port_init() from changing\nudev->descriptor once udev has been initialized and registered.\nDrivers expect the descriptors stored in the kernel to be immutable;\nwe should not undermine this expectation. In fact, this change should\nhave been made long ago.\n\nSo now hub_port_init() will take an additional argument, specifying a\nbuffer in which to store the device descriptor it reads. (If udev has\nnot yet been initialized, the buffer pointer will be NULL and then\nhub_port_init() will store the device descriptor in udev as before.)\nThis eliminates the data race responsible for the out-of-bounds read.\n\nThe changes to hub_port_init() appear more extensive than they really\nare, because of indentation changes resulting from an attempt to avoid\nwriting to other parts of the usb_device structure after it has been\ninitialized. Similar changes should be made to the code that reads\nthe BOS descriptor, but that can be handled in a separate patch later\non. This patch is sufficient to fix the bug found by syzbot."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: USB: core: corrige la ejecuci\u00f3n al no sobrescribir udev-&gt;descriptor en hub_port_init() Syzbot inform\u00f3 una lectura fuera de los l\u00edmites en sysfs.c:read_descriptors(): ERROR: KASAN : slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Lectura de tama\u00f1o 8 en addr ffff88801e78b8c8 por tarea udevd/5011 CPU: 0 PID: 5011 Comm: udevd No contaminado 6.4. 0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/05/2023 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0xd9 /0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [en l\u00ednea] kasan_report+0x11c/0x130 mm/kasan/report .c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Asignado por la tarea 758: ... __do_kmalloc_node mm/slab_common.c:966 [en l\u00ednea] __kmalloc+0x5e/0x190 mm/slab_common .c:979 kmalloc include/linux/slab.h:563 [en l\u00ednea] kzalloc include/linux/slab.h:680 [en l\u00ednea] usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb /core/hub.c:2407 [en l\u00ednea] usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545 Seg\u00fan lo analizado por Khazhy Kumykov, la causa de este error es una ejecuci\u00f3n entre read_descriptors() y hub_port_init(): La primera rutina usa un campo en udev-&gt;descriptor, sin esperar que cambie, mientras que la segunda lo sobrescribe. Antes de commit 45bf39f8df7f (\"USB: core: No mantener bloqueado el dispositivo mientras lee el archivo sysfs de \"descriptores\") esta ejecuci\u00f3n no pod\u00eda ocurrir porque las rutinas eran mutuamente excluyentes gracias al bloqueo del dispositivo. Quitar ese bloqueo de read_descriptors() lo expuso a la ejecuci\u00f3n. La mejor manera de corregir el error es evitar que hub_port_init() cambie el descriptor udev-&gt;una vez que udev se haya inicializado y registrado. Los controladores esperan que los descriptores almacenados en el kernel sean inmutables; No debemos socavar esta expectativa. De hecho, este cambio deber\u00eda haberse realizado hace mucho tiempo. Entonces ahora hub_port_init() tomar\u00e1 un argumento adicional, especificando un b\u00fafer en el cual almacenar el descriptor del dispositivo que lee. (Si udev a\u00fan no se ha inicializado, el puntero del b\u00fafer ser\u00e1 NULL y luego hub_port_init() almacenar\u00e1 el descriptor del dispositivo en udev como antes). Esto elimina la ejecuci\u00f3n de datos responsable de la lectura fuera de los l\u00edmites. Los cambios en hub_port_init() parecen m\u00e1s extensos de lo que realmente son, debido a los cambios de sangr\u00eda resultantes de un intento de evitar escribir en otras partes de la estructura usb_device despu\u00e9s de que se haya inicializado. Se deben realizar cambios similares en el c\u00f3digo que lee el descriptor BOS, pero eso se puede manejar en un parche separado m\u00e1s adelante. Este parche es suficiente para corregir el error encontrado por syzbot."}], "lastModified": "2024-08-21T17:28:49.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99B4D934-EEA7-4F5C-8D50-00B56A8A110D", "versionEndExcluding": "5.10.195", "versionStartIncluding": "5.10.171"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4BAAF72-0C38-4E64-9F28-D9D51C6537F7", "versionEndExcluding": "5.15.132", "versionStartIncluding": "5.15.97"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B451AC8-736D-4DEB-ADEA-03790BCEE7B5", "versionEndExcluding": "6.1.53", "versionStartIncluding": "6.1.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27AD8520-E4FB-4ABB-8C4F-ED0C20CAFC66", "versionEndExcluding": "6.4.16", "versionStartIncluding": "6.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "880C803A-BEAE-4DA0-8A59-AC023F7B4EE3", "versionEndExcluding": "6.5.3", "versionStartIncluding": "6.5"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}