kernel: usb: out-of-bounds read in read_descriptors (!3212) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Desnes Nunes requested to merge desnesn/centos-stream-9:rhel2566 into main Oct 16, 2023

JIRA: https://issues.redhat.com/browse/RHEL-2566

JIRA: https://issues.redhat.com/browse/RHEL-2680

Upstream Status: Patches have been accepted on kernel/git/torvalds/linux.git

CVE: CVE-2023-37453

Conflicts: Minor conflict on the 4th patch due to an avoided series

Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=56188805

Functional testing: OtherQA

Description:

With the inclusion of commit <45bf39f8df7f> ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file"), the USB subsystem became vulnerable to an out-of-bounds read issue. This flaw allows a malicious user to crash the system, resulting in a denial of service condition; which is mostly due to a race condition addressed on the 3rd patch of this series.

V1 -> V2:

Added the kernel-rt Jira issue to MR and patches.
Dropped following commits:
- commit <1e4c574225cc> ("USB: Remove remnants of Wireless USB and UWB")
- commit <5198c0eeb8ff> ("USB: core: Fix unused variable warning in usb_alloc_dev()")

V2 -> V3:

Typo on Jira issue of 2nd patch

Signed-off-by: Desnes Nunes desnesn@redhat.com

Edited Oct 17, 2023 by Desnes Nunes

kernel: usb: out-of-bounds read in read_descriptors

Merge request reports