CVE-2021-46906: HID: usbhid: fix info leak in hid_submit_ctrl - Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: CVE-2021-46906: HID: usbhid: fix info leak in hid_submit_ctrl
Date: Mon, 26 Feb 2024 18:21:03 +0100	[thread overview]
Message-ID: <2024022603-CVE-2021-46906-636c@gregkh> (raw)

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

HID: usbhid: fix info leak in hid_submit_ctrl

In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.

To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().

The Linux kernel CVE team has assigned CVE-2021-46906 to this issue.

Affected and fixed versions
===========================

	Fixed in 4.4.274 with commit c5d3c142f2d5
	Fixed in 4.9.274 with commit 41b1e71a2c57
	Fixed in 4.14.238 with commit 8c064eece9a5
	Fixed in 4.19.196 with commit 0e280502be1b
	Fixed in 5.4.127 with commit 7f5a4b24cdbd
	Fixed in 5.10.45 with commit b1e3596416d7
	Fixed in 5.12.12 with commit 21883bff0fd8
	Fixed in 5.13 with commit 6be388f4a35d

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46906
will be updated if fixes are backported, please check that for the most
up to date information about this issue.

Affected files
==============

The file(s) affected by this issue are:
	drivers/hid/usbhid/hid-core.c
	include/linux/hid.h

Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c5d3c142f2d57d40c55e65d5622d319125a45366
	https://git.kernel.org/stable/c/41b1e71a2c57366b08dcca1a28b0d45ca69429ce
	https://git.kernel.org/stable/c/8c064eece9a51856f3f275104520c7e3017fc5c0
	https://git.kernel.org/stable/c/0e280502be1b003c3483ae03fc60dea554fcfa82
	https://git.kernel.org/stable/c/7f5a4b24cdbd7372770a02f23e347d7d9a9ac8f1
	https://git.kernel.org/stable/c/b1e3596416d74ce95cc0b7b38472329a3818f8a9
	https://git.kernel.org/stable/c/21883bff0fd854e07429a773ff18f1e9658f50e8
	https://git.kernel.org/stable/c/6be388f4a35d2ce5ef7dbf635a8964a5da7f799f