cve/published/2022/CVE-2022-49661.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49661: can: gs_usb: gs_usb_open/close(): fix memory leak

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 can: gs_usb: gs_usb_open/close(): fix memory leak

 The gs_usb driver appears to suffer from a malady common to many USB
 CAN adapter drivers in that it performs usb_alloc_coherent() to
 allocate a number of USB request blocks (URBs) for RX, and then later
 relies on usb_kill_anchored_urbs() to free them, but this doesn't
 actually free them. As a result, this may be leaking DMA memory that's
 been used by the driver.

 This commit is an adaptation of the techniques found in the esd_usb2
 driver where a similar design pattern led to a memory leak. It
 explicitly frees the RX URBs and their DMA memory via a call to
 usb_free_coherent(). Since the RX URBs were allocated in the
 gs_can_open(), we remove them in gs_can_close() rather than in the
 disconnect function as was done in esd_usb2.

 For more information, see the 928150fad41b ("can: esd_usb2: fix memory
 leak").

 The Linux kernel CVE team has assigned CVE-2022-49661 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.9.323 with commit 339fa9f80d3b94177a7a459c6d115d3b56007d5a
 	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.14.288 with commit c1d806bc29ff7ffe0e2a023583c8720ed96cb0b0
 	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.19.252 with commit d91492638b054f4a359621ef216242be5973ed6b
 	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.4.205 with commit 6f655b5e13fa4b27e915b6c209ac0da74fd75963
 	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.10.130 with commit d0b8e223998866b3e7b2895927d4e9689b0a80d8
 	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.15.54 with commit 0e60230bc64355c80abe993d1719fdb318094e20
 	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.18.11 with commit ffb6cc6601ec7c8fa963dcf76025df4a02f2cf5c
 	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.19 with commit 2bda24ef95c0311ab93bda00db40486acf30bd0a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49661
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/can/usb/gs_usb.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/339fa9f80d3b94177a7a459c6d115d3b56007d5a
 	https://git.kernel.org/stable/c/c1d806bc29ff7ffe0e2a023583c8720ed96cb0b0
 	https://git.kernel.org/stable/c/d91492638b054f4a359621ef216242be5973ed6b
 	https://git.kernel.org/stable/c/6f655b5e13fa4b27e915b6c209ac0da74fd75963
 	https://git.kernel.org/stable/c/d0b8e223998866b3e7b2895927d4e9689b0a80d8
 	https://git.kernel.org/stable/c/0e60230bc64355c80abe993d1719fdb318094e20
 	https://git.kernel.org/stable/c/ffb6cc6601ec7c8fa963dcf76025df4a02f2cf5c
 	https://git.kernel.org/stable/c/2bda24ef95c0311ab93bda00db40486acf30bd0a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49661: can: gs_usb: gs_usb_open/close(): fix memory leak

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	can: gs_usb: gs_usb_open/close(): fix memory leak

	The gs_usb driver appears to suffer from a malady common to many USB
	CAN adapter drivers in that it performs usb_alloc_coherent() to
	allocate a number of USB request blocks (URBs) for RX, and then later
	relies on usb_kill_anchored_urbs() to free them, but this doesn't
	actually free them. As a result, this may be leaking DMA memory that's
	been used by the driver.

	This commit is an adaptation of the techniques found in the esd_usb2
	driver where a similar design pattern led to a memory leak. It
	explicitly frees the RX URBs and their DMA memory via a call to
	usb_free_coherent(). Since the RX URBs were allocated in the
	gs_can_open(), we remove them in gs_can_close() rather than in the
	disconnect function as was done in esd_usb2.

	For more information, see the 928150fad41b ("can: esd_usb2: fix memory
	leak").

	The Linux kernel CVE team has assigned CVE-2022-49661 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.9.323 with commit 339fa9f80d3b94177a7a459c6d115d3b56007d5a
	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.14.288 with commit c1d806bc29ff7ffe0e2a023583c8720ed96cb0b0
	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.19.252 with commit d91492638b054f4a359621ef216242be5973ed6b
	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.4.205 with commit 6f655b5e13fa4b27e915b6c209ac0da74fd75963
	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.10.130 with commit d0b8e223998866b3e7b2895927d4e9689b0a80d8
	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.15.54 with commit 0e60230bc64355c80abe993d1719fdb318094e20
	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.18.11 with commit ffb6cc6601ec7c8fa963dcf76025df4a02f2cf5c
	Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.19 with commit 2bda24ef95c0311ab93bda00db40486acf30bd0a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49661
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/can/usb/gs_usb.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/339fa9f80d3b94177a7a459c6d115d3b56007d5a
	https://git.kernel.org/stable/c/c1d806bc29ff7ffe0e2a023583c8720ed96cb0b0
	https://git.kernel.org/stable/c/d91492638b054f4a359621ef216242be5973ed6b
	https://git.kernel.org/stable/c/6f655b5e13fa4b27e915b6c209ac0da74fd75963
	https://git.kernel.org/stable/c/d0b8e223998866b3e7b2895927d4e9689b0a80d8
	https://git.kernel.org/stable/c/0e60230bc64355c80abe993d1719fdb318094e20
	https://git.kernel.org/stable/c/ffb6cc6601ec7c8fa963dcf76025df4a02f2cf5c
	https://git.kernel.org/stable/c/2bda24ef95c0311ab93bda00db40486acf30bd0a