[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024022603-CVE-2021-46906-636c@gregkh>
Date: Mon, 26 Feb 2024 18:21:03 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2021-46906: HID: usbhid: fix info leak in hid_submit_ctrl
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
HID: usbhid: fix info leak in hid_submit_ctrl
In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.
To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().
The Linux kernel CVE team has assigned CVE-2021-46906 to this issue.
Affected and fixed versions
===========================
Fixed in 4.4.274 with commit c5d3c142f2d5
Fixed in 4.9.274 with commit 41b1e71a2c57
Fixed in 4.14.238 with commit 8c064eece9a5
Fixed in 4.19.196 with commit 0e280502be1b
Fixed in 5.4.127 with commit 7f5a4b24cdbd
Fixed in 5.10.45 with commit b1e3596416d7
Fixed in 5.12.12 with commit 21883bff0fd8
Fixed in 5.13 with commit 6be388f4a35d
Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-46906
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/hid/usbhid/hid-core.c
include/linux/hid.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c5d3c142f2d57d40c55e65d5622d319125a45366
https://git.kernel.org/stable/c/41b1e71a2c57366b08dcca1a28b0d45ca69429ce
https://git.kernel.org/stable/c/8c064eece9a51856f3f275104520c7e3017fc5c0
https://git.kernel.org/stable/c/0e280502be1b003c3483ae03fc60dea554fcfa82
https://git.kernel.org/stable/c/7f5a4b24cdbd7372770a02f23e347d7d9a9ac8f1
https://git.kernel.org/stable/c/b1e3596416d74ce95cc0b7b38472329a3818f8a9
https://git.kernel.org/stable/c/21883bff0fd854e07429a773ff18f1e9658f50e8
https://git.kernel.org/stable/c/6be388f4a35d2ce5ef7dbf635a8964a5da7f799f
Powered by blists - more mailing lists