CVE-2023-53548
Description
In the Linux kernel, the following vulnerability has been resolved: net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb The syzbot fuzzer identified a problem in the usbnet driver: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7 RSP: 0018:ffffc9000463f568 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001 RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003 R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500 FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0 Call Trace: <TASK> usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453 __netdev_start_xmit include/linux/netdevice.h:4918 [inline] netdev_start_xmit include/linux/netdevice.h:4932 [inline] xmit_one net/core/dev.c:3578 [inline] dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594 ... This bug is caused by the fact that usbnet trusts the bulk endpoint addresses its probe routine receives in the driver_info structure, and it does not check to see that these endpoints actually exist and have the expected type and directions. The fix is simply to add such a check.
CVSS Details
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Threat Intelligence
Affected Products 9
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | ≥2.6.14 – <4.14.322 |
| linux | linux_kernel | * | ≥4.15 – <4.19.291 |
| linux | linux_kernel | * | ≥4.20 – <5.4.253 |
| linux | linux_kernel | * | ≥5.5 – <5.10.190 |
| linux | linux_kernel | * | ≥5.11 – <5.15.126 |
| linux | linux_kernel | * | ≥5.16 – <6.1.45 |
| linux | linux_kernel | * | ≥6.2 – <6.4.10 |
| linux | linux_kernel | 6.5 | any |
| linux | linux_kernel | 6.5 | any |
References 8
- git.kernel.org https://git.kernel.org/stable/c/0dd3e0c31bf3e933fb85faf1443833aef90b8e46
- git.kernel.org https://git.kernel.org/stable/c/1bebbd9b8037a9cc75984317cb495dec4824c399
- git.kernel.org https://git.kernel.org/stable/c/27d0f755d649d388fcd12f01436c9a33289e14e3
- git.kernel.org https://git.kernel.org/stable/c/53c250ea57cf03af41339234b9855ae284f9db91
- git.kernel.org https://git.kernel.org/stable/c/5e1627cb43ddf1b24b92eb26f8d958a3f5676ccb
- git.kernel.org https://git.kernel.org/stable/c/a05ac5d00eb7fcb2fda806caa4f56e88df6bc6bb
- git.kernel.org https://git.kernel.org/stable/c/a0715d04cf687a7e21f0d6ac8c1d479294a3f6f8
- git.kernel.org https://git.kernel.org/stable/c/ec0d0be41721aca683c5606354a58ee2c687e3f8
Remediation
- git.kernel.org https://git.kernel.org/stable/c/0dd3e0c31bf3e933fb85faf1443833aef90b8e46
- git.kernel.org https://git.kernel.org/stable/c/1bebbd9b8037a9cc75984317cb495dec4824c399
- git.kernel.org https://git.kernel.org/stable/c/27d0f755d649d388fcd12f01436c9a33289e14e3
- git.kernel.org https://git.kernel.org/stable/c/53c250ea57cf03af41339234b9855ae284f9db91
- git.kernel.org https://git.kernel.org/stable/c/5e1627cb43ddf1b24b92eb26f8d958a3f5676ccb
- git.kernel.org https://git.kernel.org/stable/c/a05ac5d00eb7fcb2fda806caa4f56e88df6bc6bb
- git.kernel.org https://git.kernel.org/stable/c/a0715d04cf687a7e21f0d6ac8c1d479294a3f6f8
- git.kernel.org https://git.kernel.org/stable/c/ec0d0be41721aca683c5606354a58ee2c687e3f8