[SRU X/B/D/E/F] CVE-2020-13143
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Fri May 22 22:37:51 UTC 2020
Description:
gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux
kernel through 5.6.13 relies on kstrdup without considering the possibility
of an internal '\0' value, which allows attackers to trigger an
out-of-bounds read, aka CID-15753588bcd4.
[Impact]
This could lead to potential data leak and corruption.
[Test case]
Build dummy_hcd, load libcomposite and dummy_hcd, and run:
cd /sys/kernel/config/usb_gadget/
mkdir ep1
cd ep1
echo dummy_udc.0 > UDC
UDC: Invalid argument
echo -e 'no_udc.0' > UDC
UDC: No such device
Before patch:
echo -e 'dummy_udc.0\0' > UDC
UDC: Invalid argument
After patch:
echo -e 'dummy_udc.0\0' > UDC
UDC: Value too large for defined data type
This will lead to EINVAL as there is no other configuration done for the
gadget. The test was only done on Focal, looking for regressions on that
simple case. Also tested a random string, that returns ENODEV. And one
string containing the NULL character.
[Regression potential]
Low. It's restricting strings that contain the NULL character.
More information about the kernel-team
mailing list