APPLIED/Cmnt: [SRU][F/J/L][PATCH 0/3] CVE-2023-37453

Stefan Bader stefan.bader at canonical.com
Mon Oct 16 13:15:06 UTC 2023


On 12.10.23 00:54, Yuxuan Luo wrote:
> [Impact]
> It was discovered that the USB subsystem in the Linux kernel contained a
> race condition while handling device descriptors in certain situations,
> leading to a out-of-bounds read vulnerability. A local attacker could
> possibly use this to cause a denial of service (system crash).
> 
> [Backport]
> For Jammy and Lunar, two prerequisite commits are needed for a clean
> cherry pick.
> 
> For Focal, three more additional commits are needed to backport:
> 1. 19502e6911e4 (“USB: hub: Clean up use of port initialization schemes
> and retries”). This one needs manual backport because a previous commit,
> 6ae6dc22d2d1 (“usb: hub: Fix usb enumeration issue due to address0
> race”), was backported to Focal rather than clean cherry pick, resulting
> in conflicts.
> 2. a4f55d8b8c14 ("usb: hub: Check device descriptor before
> resusciation"). This refactoring solves the conflict of the above
> backport.
> 3. fb6f076d5434 ("USB: hub: Add Kconfig option to reduce number of port
> initialization retries"). This one introduced a macro while modifying
> Kconfig file; ignore the change regarding the Kconfig file since it
> will not be reflected in the annotation file and only introduce the
> macro.
> 
> [Test]
> Tested against the proof of concept generated by
> [Syzkaller](https://syzkaller.appspot.com/text?tag=ReproC&x=1150cb7ca80000)
> 
> [Potential Regression]
> Multiple files and functions are modified, proceed with care.
> 
> Alan Stern (3):
>    USB: core: Unite old scheme and new scheme descriptor reads
>    USB: core: Change usb_get_device_descriptor() API
>    USB: core: Fix race by not overwriting udev->descriptor in
>      hub_port_init()
> 
>   drivers/usb/core/hcd.c     |  10 +-
>   drivers/usb/core/hub.c     | 323 +++++++++++++++++++++----------------
>   drivers/usb/core/message.c |  29 ++--
>   drivers/usb/core/usb.h     |   4 +-
>   4 files changed, 204 insertions(+), 162 deletions(-)
> 

For Jammy the 1rst patch required fuzz 2 in the 3rd hunk and the 2nd 
patch required fuzz 1 in the 1rst hunk of message.c.

Applied to lunar,jammy,focal:linux/master-next. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20231016/343f0a6b/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20231016/343f0a6b/attachment-0001.sig>


More information about the kernel-team mailing list