[SRU][F/J/L][PATCH 0/3] CVE-2023-37453
Yuxuan Luo
yuxuan.luo at canonical.com
Wed Oct 11 22:54:05 UTC 2023
[Impact]
It was discovered that the USB subsystem in the Linux kernel contained a
race condition while handling device descriptors in certain situations,
leading to a out-of-bounds read vulnerability. A local attacker could
possibly use this to cause a denial of service (system crash).
[Backport]
For Jammy and Lunar, two prerequisite commits are needed for a clean
cherry pick.
For Focal, three more additional commits are needed to backport:
1. 19502e6911e4 (“USB: hub: Clean up use of port initialization schemes
and retries”). This one needs manual backport because a previous commit,
6ae6dc22d2d1 (“usb: hub: Fix usb enumeration issue due to address0
race”), was backported to Focal rather than clean cherry pick, resulting
in conflicts.
2. a4f55d8b8c14 ("usb: hub: Check device descriptor before
resusciation"). This refactoring solves the conflict of the above
backport.
3. fb6f076d5434 ("USB: hub: Add Kconfig option to reduce number of port
initialization retries"). This one introduced a macro while modifying
Kconfig file; ignore the change regarding the Kconfig file since it
will not be reflected in the annotation file and only introduce the
macro.
[Test]
Tested against the proof of concept generated by
[Syzkaller](https://syzkaller.appspot.com/text?tag=ReproC&x=1150cb7ca80000)
[Potential Regression]
Multiple files and functions are modified, proceed with care.
Alan Stern (3):
USB: core: Unite old scheme and new scheme descriptor reads
USB: core: Change usb_get_device_descriptor() API
USB: core: Fix race by not overwriting udev->descriptor in
hub_port_init()
drivers/usb/core/hcd.c | 10 +-
drivers/usb/core/hub.c | 323 +++++++++++++++++++++----------------
drivers/usb/core/message.c | 29 ++--
drivers/usb/core/usb.h | 4 +-
4 files changed, 204 insertions(+), 162 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list