| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2021-46906: HID: usbhid: fix info leak in hid_submit_ctrl |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| HID: usbhid: fix info leak in hid_submit_ctrl |
| |
| In hid_submit_ctrl(), the way of calculating the report length doesn't |
| take into account that report->size can be zero. When running the |
| syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to |
| calculate transfer_buffer_length as 16384. When this urb is passed to |
| the usb core layer, KMSAN reports an info leak of 16384 bytes. |
| |
| To fix this, first modify hid_report_len() to account for the zero |
| report size case by using DIV_ROUND_UP for the division. Then, call it |
| from hid_submit_ctrl(). |
| |
| The Linux kernel CVE team has assigned CVE-2021-46906 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 4.4.274 with commit c5d3c142f2d57d40c55e65d5622d319125a45366 |
| Fixed in 4.9.274 with commit 41b1e71a2c57366b08dcca1a28b0d45ca69429ce |
| Fixed in 4.14.238 with commit 8c064eece9a51856f3f275104520c7e3017fc5c0 |
| Fixed in 4.19.196 with commit 0e280502be1b003c3483ae03fc60dea554fcfa82 |
| Fixed in 5.4.127 with commit 7f5a4b24cdbd7372770a02f23e347d7d9a9ac8f1 |
| Fixed in 5.10.45 with commit b1e3596416d74ce95cc0b7b38472329a3818f8a9 |
| Fixed in 5.12.12 with commit 21883bff0fd854e07429a773ff18f1e9658f50e8 |
| Fixed in 5.13 with commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2021-46906 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/hid/usbhid/hid-core.c |
| include/linux/hid.h |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/c5d3c142f2d57d40c55e65d5622d319125a45366 |
| https://git.kernel.org/stable/c/41b1e71a2c57366b08dcca1a28b0d45ca69429ce |
| https://git.kernel.org/stable/c/8c064eece9a51856f3f275104520c7e3017fc5c0 |
| https://git.kernel.org/stable/c/0e280502be1b003c3483ae03fc60dea554fcfa82 |
| https://git.kernel.org/stable/c/7f5a4b24cdbd7372770a02f23e347d7d9a9ac8f1 |
| https://git.kernel.org/stable/c/b1e3596416d74ce95cc0b7b38472329a3818f8a9 |
| https://git.kernel.org/stable/c/21883bff0fd854e07429a773ff18f1e9658f50e8 |
| https://git.kernel.org/stable/c/6be388f4a35d2ce5ef7dbf635a8964a5da7f799f |
