[SRU][F/J/L][PATCH 0/3] CVE-2023-37453

Yuxuan Luo yuxuan.luo at canonical.com
Wed Oct 11 22:54:05 UTC 2023


[Impact]
It was discovered that the USB subsystem in the Linux kernel contained a
race condition while handling device descriptors in certain situations,
leading to a out-of-bounds read vulnerability. A local attacker could
possibly use this to cause a denial of service (system crash).

[Backport]
For Jammy and Lunar, two prerequisite commits are needed for a clean
cherry pick.

For Focal, three more additional commits are needed to backport:
1. 19502e6911e4 (“USB: hub: Clean up use of port initialization schemes
and retries”). This one needs manual backport because a previous commit,
6ae6dc22d2d1 (“usb: hub: Fix usb enumeration issue due to address0
race”), was backported to Focal rather than clean cherry pick, resulting
in conflicts.
2. a4f55d8b8c14 ("usb: hub: Check device descriptor before
resusciation"). This refactoring solves the conflict of the above
backport.
3. fb6f076d5434 ("USB: hub: Add Kconfig option to reduce number of port
initialization retries"). This one introduced a macro while modifying
Kconfig file; ignore the change regarding the Kconfig file since it
will not be reflected in the annotation file and only introduce the
macro.

[Test]
Tested against the proof of concept generated by
[Syzkaller](https://syzkaller.appspot.com/text?tag=ReproC&x=1150cb7ca80000)

[Potential Regression]
Multiple files and functions are modified, proceed with care.

Alan Stern (3):
  USB: core: Unite old scheme and new scheme descriptor reads
  USB: core: Change usb_get_device_descriptor() API
  USB: core: Fix race by not overwriting udev->descriptor in
    hub_port_init()

 drivers/usb/core/hcd.c     |  10 +-
 drivers/usb/core/hub.c     | 323 +++++++++++++++++++++----------------
 drivers/usb/core/message.c |  29 ++--
 drivers/usb/core/usb.h     |   4 +-
 4 files changed, 204 insertions(+), 162 deletions(-)

-- 
2.34.1




More information about the kernel-team mailing list