6.8

CVE-2022-49051

net: usb: aqc111: Fix out-of-bounds accesses in RX fixup

In the Linux kernel, the following vulnerability has been resolved:

net: usb: aqc111: Fix out-of-bounds accesses in RX fixup

aqc111_rx_fixup() contains several out-of-bounds accesses that can be
triggered by a malicious (or defective) USB device, in particular:

 - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,
   causing OOB reads and (on big-endian systems) OOB endianness flips.
 - A packet can overlap the metadata array, causing a later OOB
   endianness flip to corrupt data used by a cloned SKB that has already
   been handed off into the network stack.
 - A packet SKB can be constructed whose tail is far beyond its end,
   causing out-of-bounds heap data to be considered part of the SKB's
   data.

Found doing variant analysis. Tested it with another driver (ax88179_178a), since
I don't have a aqc111 device to test it, but the code looks very similar.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.0 < 5.4.190
LinuxLinux Kernel Version >= 5.5 < 5.10.112
LinuxLinux Kernel Version >= 5.11 < 5.15.35
LinuxLinux Kernel Version >= 5.16 < 5.17.4
LinuxLinux Kernel Version5.18 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.41% 0.326
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 0.9 5.9
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080
Patch
https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593
Patch
https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d
Patch
https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7
Patch
https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7
Patch