CVE-2021-46906 - pub/scm/linux/kernel/git/sashal/vulns-desc - Git at Google

 The CVE-2021-46906 vulnerability exists in the Linux kernel's Human Interface Device (HID) subsystem, specifically in the `hid_submit_ctrl` function. The issue arises when a report of size 0 is submitted, causing the calculation of the transfer buffer length to result in an incorrect value of 16384 bytes. This, in turn, leads to an information leak of 16384 bytes when the Universal Serial Bus (USB) core layer processes the malformed report.

 The root cause of this vulnerability lies in the `hid_report_len` function, which fails to account for the case where the report size is zero. To fix this issue, the `hid_report_len` function has been modified to use the `DIV_ROUND_UP` macro for division, ensuring that the correct buffer length is calculated even when the report size is zero. The updated `hid_submit_ctrl` function then calls the modified `hid_report_len` function to obtain the correct transfer buffer length.

 The vulnerability affects various versions of the Linux kernel, including 4.4, 4.9, 4.14, 4.19, 5.4, 5.10, and 5.12. Fixes for this issue have been committed in multiple kernel releases, with the affected files being `drivers/hid/usbhid/hid-core.c` and `include/linux/hid.h`. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this vulnerability, as individual changes are never tested alone and cherry-picking commits is not supported by the Linux kernel community.
	The CVE-2021-46906 vulnerability exists in the Linux kernel's Human Interface Device (HID) subsystem, specifically in the `hid_submit_ctrl` function. The issue arises when a report of size 0 is submitted, causing the calculation of the transfer buffer length to result in an incorrect value of 16384 bytes. This, in turn, leads to an information leak of 16384 bytes when the Universal Serial Bus (USB) core layer processes the malformed report.

	The root cause of this vulnerability lies in the `hid_report_len` function, which fails to account for the case where the report size is zero. To fix this issue, the `hid_report_len` function has been modified to use the `DIV_ROUND_UP` macro for division, ensuring that the correct buffer length is calculated even when the report size is zero. The updated `hid_submit_ctrl` function then calls the modified `hid_report_len` function to obtain the correct transfer buffer length.

	The vulnerability affects various versions of the Linux kernel, including 4.4, 4.9, 4.14, 4.19, 5.4, 5.10, and 5.12. Fixes for this issue have been committed in multiple kernel releases, with the affected files being `drivers/hid/usbhid/hid-core.c` and `include/linux/hid.h`. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this vulnerability, as individual changes are never tested alone and cherry-picking commits is not supported by the Linux kernel community.