linux-cve-announce.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: CVE-2021-46906: HID: usbhid: fix info leak in hid_submit_ctrl
Date: Mon, 26 Feb 2024 18:21:03 +0100	[thread overview]
Message-ID: <2024022603-CVE-2021-46906-636c@gregkh> (raw)

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

HID: usbhid: fix info leak in hid_submit_ctrl

In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.

To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().

The Linux kernel CVE team has assigned CVE-2021-46906 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.4.274 with commit c5d3c142f2d5
	Fixed in 4.9.274 with commit 41b1e71a2c57
	Fixed in 4.14.238 with commit 8c064eece9a5
	Fixed in 4.19.196 with commit 0e280502be1b
	Fixed in 5.4.127 with commit 7f5a4b24cdbd
	Fixed in 5.10.45 with commit b1e3596416d7
	Fixed in 5.12.12 with commit 21883bff0fd8
	Fixed in 5.13 with commit 6be388f4a35d

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46906
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/hid/usbhid/hid-core.c
	include/linux/hid.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c5d3c142f2d57d40c55e65d5622d319125a45366
	https://git.kernel.org/stable/c/41b1e71a2c57366b08dcca1a28b0d45ca69429ce
	https://git.kernel.org/stable/c/8c064eece9a51856f3f275104520c7e3017fc5c0
	https://git.kernel.org/stable/c/0e280502be1b003c3483ae03fc60dea554fcfa82
	https://git.kernel.org/stable/c/7f5a4b24cdbd7372770a02f23e347d7d9a9ac8f1
	https://git.kernel.org/stable/c/b1e3596416d74ce95cc0b7b38472329a3818f8a9
	https://git.kernel.org/stable/c/21883bff0fd854e07429a773ff18f1e9658f50e8
	https://git.kernel.org/stable/c/6be388f4a35d2ce5ef7dbf635a8964a5da7f799f

                 reply	other threads:[~2024-02-26 17:21 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2024022603-CVE-2021-46906-636c@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=cve@kernel.org \
    --cc=linux-cve-announce@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).