| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022651-CVE-2022-49051-08bd@gregkh> Date: Wed, 26 Feb 2025 02:54:16 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49051: net: usb: aqc111: Fix out-of-bounds accesses in RX fixup Description =========== In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Fix out-of-bounds accesses in RX fixup aqc111_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack. - A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data. Found doing variant analysis. Tested it with another driver (ax88179_178a), since I don't have a aqc111 device to test it, but the code looks very similar. The Linux kernel CVE team has assigned CVE-2022-49051 to this issue. Affected and fixed versions =========================== Fixed in 5.4.190 with commit 404998a137bcb8a926f7c949030afbe285472593 Fixed in 5.10.112 with commit d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7 Fixed in 5.15.35 with commit b416898442f2b6aa9f1b2f2968ce07e3abaa05f7 Fixed in 5.17.4 with commit 36311fe98f55dea9200c69e2dd6d6ddb8fc94080 Fixed in 5.18 with commit afb8e246527536848b9b4025b40e613edf776a9d Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49051 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/usb/aqc111.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593 https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7 https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7 https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080 https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d
Powered by blists - more mailing lists