APPLIED: [SRU X/B/D/E/F] CVE-2020-13143
Khaled Elmously
khalid.elmously at canonical.com
Fri Jun 5 05:06:31 UTC 2020
On 2020-05-22 19:37:51 , Thadeu Lima de Souza Cascardo wrote:
> Description:
> gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux
> kernel through 5.6.13 relies on kstrdup without considering the possibility
> of an internal '\0' value, which allows attackers to trigger an
> out-of-bounds read, aka CID-15753588bcd4.
>
> [Impact]
>
> This could lead to potential data leak and corruption.
>
> [Test case]
>
> Build dummy_hcd, load libcomposite and dummy_hcd, and run:
>
> cd /sys/kernel/config/usb_gadget/
> mkdir ep1
> cd ep1
> echo dummy_udc.0 > UDC
> UDC: Invalid argument
> echo -e 'no_udc.0' > UDC
> UDC: No such device
>
> Before patch:
> echo -e 'dummy_udc.0\0' > UDC
> UDC: Invalid argument
>
> After patch:
> echo -e 'dummy_udc.0\0' > UDC
> UDC: Value too large for defined data type
>
> This will lead to EINVAL as there is no other configuration done for the
> gadget. The test was only done on Focal, looking for regressions on that
> simple case. Also tested a random string, that returns ENODEV. And one
> string containing the NULL character.
>
> [Regression potential]
> Low. It's restricting strings that contain the NULL character.
>
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list