| Message ID | 20231011225414.50811-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-37453 | expand |
On 10/11/23 4:54 PM, Yuxuan Luo wrote: > [Impact] > It was discovered that the USB subsystem in the Linux kernel contained a > race condition while handling device descriptors in certain situations, > leading to a out-of-bounds read vulnerability. A local attacker could > possibly use this to cause a denial of service (system crash). > > [Backport] > For Jammy and Lunar, two prerequisite commits are needed for a clean > cherry pick. > > For Focal, three more additional commits are needed to backport: > 1. 19502e6911e4 (“USB: hub: Clean up use of port initialization schemes > and retries”). This one needs manual backport because a previous commit, > 6ae6dc22d2d1 (“usb: hub: Fix usb enumeration issue due to address0 > race”), was backported to Focal rather than clean cherry pick, resulting > in conflicts. > 2. a4f55d8b8c14 ("usb: hub: Check device descriptor before > resusciation"). This refactoring solves the conflict of the above > backport. > 3. fb6f076d5434 ("USB: hub: Add Kconfig option to reduce number of port > initialization retries"). This one introduced a macro while modifying > Kconfig file; ignore the change regarding the Kconfig file since it > will not be reflected in the annotation file and only introduce the > macro. > > [Test] > Tested against the proof of concept generated by > [Syzkaller](https://syzkaller.appspot.com/text?tag=ReproC&x=1150cb7ca80000) > > [Potential Regression] > Multiple files and functions are modified, proceed with care. > > Alan Stern (3): > USB: core: Unite old scheme and new scheme descriptor reads > USB: core: Change usb_get_device_descriptor() API > USB: core: Fix race by not overwriting udev->descriptor in > hub_port_init() > > drivers/usb/core/hcd.c | 10 +- > drivers/usb/core/hub.c | 323 +++++++++++++++++++++---------------- > drivers/usb/core/message.c | 29 ++-- > drivers/usb/core/usb.h | 4 +- > 4 files changed, 204 insertions(+), 162 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 12.10.23 00:54, Yuxuan Luo wrote: > [Impact] > It was discovered that the USB subsystem in the Linux kernel contained a > race condition while handling device descriptors in certain situations, > leading to a out-of-bounds read vulnerability. A local attacker could > possibly use this to cause a denial of service (system crash). > > [Backport] > For Jammy and Lunar, two prerequisite commits are needed for a clean > cherry pick. > > For Focal, three more additional commits are needed to backport: > 1. 19502e6911e4 (“USB: hub: Clean up use of port initialization schemes > and retries”). This one needs manual backport because a previous commit, > 6ae6dc22d2d1 (“usb: hub: Fix usb enumeration issue due to address0 > race”), was backported to Focal rather than clean cherry pick, resulting > in conflicts. > 2. a4f55d8b8c14 ("usb: hub: Check device descriptor before > resusciation"). This refactoring solves the conflict of the above > backport. > 3. fb6f076d5434 ("USB: hub: Add Kconfig option to reduce number of port > initialization retries"). This one introduced a macro while modifying > Kconfig file; ignore the change regarding the Kconfig file since it > will not be reflected in the annotation file and only introduce the > macro. > > [Test] > Tested against the proof of concept generated by > [Syzkaller](https://syzkaller.appspot.com/text?tag=ReproC&x=1150cb7ca80000) > > [Potential Regression] > Multiple files and functions are modified, proceed with care. > > Alan Stern (3): > USB: core: Unite old scheme and new scheme descriptor reads > USB: core: Change usb_get_device_descriptor() API > USB: core: Fix race by not overwriting udev->descriptor in > hub_port_init() > > drivers/usb/core/hcd.c | 10 +- > drivers/usb/core/hub.c | 323 +++++++++++++++++++++---------------- > drivers/usb/core/message.c | 29 ++-- > drivers/usb/core/usb.h | 4 +- > 4 files changed, 204 insertions(+), 162 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 12.10.23 00:54, Yuxuan Luo wrote: > [Impact] > It was discovered that the USB subsystem in the Linux kernel contained a > race condition while handling device descriptors in certain situations, > leading to a out-of-bounds read vulnerability. A local attacker could > possibly use this to cause a denial of service (system crash). > > [Backport] > For Jammy and Lunar, two prerequisite commits are needed for a clean > cherry pick. > > For Focal, three more additional commits are needed to backport: > 1. 19502e6911e4 (“USB: hub: Clean up use of port initialization schemes > and retries”). This one needs manual backport because a previous commit, > 6ae6dc22d2d1 (“usb: hub: Fix usb enumeration issue due to address0 > race”), was backported to Focal rather than clean cherry pick, resulting > in conflicts. > 2. a4f55d8b8c14 ("usb: hub: Check device descriptor before > resusciation"). This refactoring solves the conflict of the above > backport. > 3. fb6f076d5434 ("USB: hub: Add Kconfig option to reduce number of port > initialization retries"). This one introduced a macro while modifying > Kconfig file; ignore the change regarding the Kconfig file since it > will not be reflected in the annotation file and only introduce the > macro. > > [Test] > Tested against the proof of concept generated by > [Syzkaller](https://syzkaller.appspot.com/text?tag=ReproC&x=1150cb7ca80000) > > [Potential Regression] > Multiple files and functions are modified, proceed with care. > > Alan Stern (3): > USB: core: Unite old scheme and new scheme descriptor reads > USB: core: Change usb_get_device_descriptor() API > USB: core: Fix race by not overwriting udev->descriptor in > hub_port_init() > > drivers/usb/core/hcd.c | 10 +- > drivers/usb/core/hub.c | 323 +++++++++++++++++++++---------------- > drivers/usb/core/message.c | 29 ++-- > drivers/usb/core/usb.h | 4 +- > 4 files changed, 204 insertions(+), 162 deletions(-) > For Jammy the 1rst patch required fuzz 2 in the 3rd hunk and the 2nd patch required fuzz 1 in the 1rst hunk of message.c. Applied to lunar,jammy,focal:linux/master-next. Thanks. -Stefan
[Impact] It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service (system crash). [Backport] For Jammy and Lunar, two prerequisite commits are needed for a clean cherry pick. For Focal, three more additional commits are needed to backport: 1. 19502e6911e4 (“USB: hub: Clean up use of port initialization schemes and retries”). This one needs manual backport because a previous commit, 6ae6dc22d2d1 (“usb: hub: Fix usb enumeration issue due to address0 race”), was backported to Focal rather than clean cherry pick, resulting in conflicts. 2. a4f55d8b8c14 ("usb: hub: Check device descriptor before resusciation"). This refactoring solves the conflict of the above backport. 3. fb6f076d5434 ("USB: hub: Add Kconfig option to reduce number of port initialization retries"). This one introduced a macro while modifying Kconfig file; ignore the change regarding the Kconfig file since it will not be reflected in the annotation file and only introduce the macro. [Test] Tested against the proof of concept generated by [Syzkaller](https://syzkaller.appspot.com/text?tag=ReproC&x=1150cb7ca80000) [Potential Regression] Multiple files and functions are modified, proceed with care. Alan Stern (3): USB: core: Unite old scheme and new scheme descriptor reads USB: core: Change usb_get_device_descriptor() API USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() drivers/usb/core/hcd.c | 10 +- drivers/usb/core/hub.c | 323 +++++++++++++++++++++---------------- drivers/usb/core/message.c | 29 ++-- drivers/usb/core/usb.h | 4 +- 4 files changed, 204 insertions(+), 162 deletions(-)