cve/published/2023/CVE-2023-52886.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52886: USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

 Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors():

 BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883
 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011

 CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
  print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
  print_report mm/kasan/report.c:462 [inline]
  kasan_report+0x11c/0x130 mm/kasan/report.c:572
  read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883
 ...
 Allocated by task 758:
 ...
  __do_kmalloc_node mm/slab_common.c:966 [inline]
  __kmalloc+0x5e/0x190 mm/slab_common.c:979
  kmalloc include/linux/slab.h:563 [inline]
  kzalloc include/linux/slab.h:680 [inline]
  usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887
  usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]
  usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545

 As analyzed by Khazhy Kumykov, the cause of this bug is a race between
 read_descriptors() and hub_port_init(): The first routine uses a field
 in udev->descriptor, not expecting it to change, while the second
 overwrites it.

 Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while
 reading the "descriptors" sysfs file") this race couldn't occur,
 because the routines were mutually exclusive thanks to the device
 locking.  Removing that locking from read_descriptors() exposed it to
 the race.

 The best way to fix the bug is to keep hub_port_init() from changing
 udev->descriptor once udev has been initialized and registered.
 Drivers expect the descriptors stored in the kernel to be immutable;
 we should not undermine this expectation.  In fact, this change should
 have been made long ago.

 So now hub_port_init() will take an additional argument, specifying a
 buffer in which to store the device descriptor it reads.  (If udev has
 not yet been initialized, the buffer pointer will be NULL and then
 hub_port_init() will store the device descriptor in udev as before.)
 This eliminates the data race responsible for the out-of-bounds read.

 The changes to hub_port_init() appear more extensive than they really
 are, because of indentation changes resulting from an attempt to avoid
 writing to other parts of the usb_device structure after it has been
 initialized.  Similar changes should be made to the code that reads
 the BOS descriptor, but that can be handled in a separate patch later
 on.  This patch is sufficient to fix the bug found by syzbot.

 The Linux kernel CVE team has assigned CVE-2023-52886 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.171 with commit 218925bfd5d1436e337c4f961e9c149fbe32de6d and fixed in 5.10.195 with commit 9d241c5d9a9b7ad95c90c6520272fe404d5ac88f
 	Issue introduced in 5.15.97 with commit 77358093331e9769855140bf94a3f00ecdcf4bb1 and fixed in 5.15.132 with commit 7fe9d87996062f5eb0ca476ad0257f79bf43aaf5
 	Issue introduced in 6.1.15 with commit c87fb861ec185fdc578b4fdc6a05920b6a843840 and fixed in 6.1.53 with commit 8186596a663506b1124bede9fde6f243ef9f37ee
 	Issue introduced in 6.3 with commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 and fixed in 6.4.16 with commit b4a074b1fb222164ed7d5c0b8c922dc4a0840848
 	Issue introduced in 6.3 with commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 and fixed in 6.5.3 with commit b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5
 	Issue introduced in 6.3 with commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 and fixed in 6.6 with commit ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b
 	Issue introduced in 4.14.308 with commit 6badaf880edf51a2da7a439699676394dfdef3e5
 	Issue introduced in 4.19.275 with commit 5f35b5d3bd6914c68f743741443dfd3a64b0e455
 	Issue introduced in 5.4.234 with commit a1e89c8b29d003a20ed2dae6bdae1598d1f23e42
 	Issue introduced in 6.2.2 with commit 1bcb238c54a9c6dc4bded06b06ba7458a5eefa87

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52886
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/core/hub.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f
 	https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5
 	https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee
 	https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848
 	https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5
 	https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52886: USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

	Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors():

	BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883
	Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011

	CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
	print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
	print_report mm/kasan/report.c:462 [inline]
	kasan_report+0x11c/0x130 mm/kasan/report.c:572
	read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883
	...
	Allocated by task 758:
	...
	__do_kmalloc_node mm/slab_common.c:966 [inline]
	__kmalloc+0x5e/0x190 mm/slab_common.c:979
	kmalloc include/linux/slab.h:563 [inline]
	kzalloc include/linux/slab.h:680 [inline]
	usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887
	usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]
	usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545

	As analyzed by Khazhy Kumykov, the cause of this bug is a race between
	read_descriptors() and hub_port_init(): The first routine uses a field
	in udev->descriptor, not expecting it to change, while the second
	overwrites it.

	Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while
	reading the "descriptors" sysfs file") this race couldn't occur,
	because the routines were mutually exclusive thanks to the device
	locking. Removing that locking from read_descriptors() exposed it to
	the race.

	The best way to fix the bug is to keep hub_port_init() from changing
	udev->descriptor once udev has been initialized and registered.
	Drivers expect the descriptors stored in the kernel to be immutable;
	we should not undermine this expectation. In fact, this change should
	have been made long ago.

	So now hub_port_init() will take an additional argument, specifying a
	buffer in which to store the device descriptor it reads. (If udev has
	not yet been initialized, the buffer pointer will be NULL and then
	hub_port_init() will store the device descriptor in udev as before.)
	This eliminates the data race responsible for the out-of-bounds read.

	The changes to hub_port_init() appear more extensive than they really
	are, because of indentation changes resulting from an attempt to avoid
	writing to other parts of the usb_device structure after it has been
	initialized. Similar changes should be made to the code that reads
	the BOS descriptor, but that can be handled in a separate patch later
	on. This patch is sufficient to fix the bug found by syzbot.

	The Linux kernel CVE team has assigned CVE-2023-52886 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.171 with commit 218925bfd5d1436e337c4f961e9c149fbe32de6d and fixed in 5.10.195 with commit 9d241c5d9a9b7ad95c90c6520272fe404d5ac88f
	Issue introduced in 5.15.97 with commit 77358093331e9769855140bf94a3f00ecdcf4bb1 and fixed in 5.15.132 with commit 7fe9d87996062f5eb0ca476ad0257f79bf43aaf5
	Issue introduced in 6.1.15 with commit c87fb861ec185fdc578b4fdc6a05920b6a843840 and fixed in 6.1.53 with commit 8186596a663506b1124bede9fde6f243ef9f37ee
	Issue introduced in 6.3 with commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 and fixed in 6.4.16 with commit b4a074b1fb222164ed7d5c0b8c922dc4a0840848
	Issue introduced in 6.3 with commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 and fixed in 6.5.3 with commit b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5
	Issue introduced in 6.3 with commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 and fixed in 6.6 with commit ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b
	Issue introduced in 4.14.308 with commit 6badaf880edf51a2da7a439699676394dfdef3e5
	Issue introduced in 4.19.275 with commit 5f35b5d3bd6914c68f743741443dfd3a64b0e455
	Issue introduced in 5.4.234 with commit a1e89c8b29d003a20ed2dae6bdae1598d1f23e42
	Issue introduced in 6.2.2 with commit 1bcb238c54a9c6dc4bded06b06ba7458a5eefa87

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52886
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/core/hub.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f
	https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5
	https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee
	https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848
	https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5
	https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b