First published: Mon Feb 26 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl().
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <4.4.274 | |
Linux Linux kernel | >=4.5.0<4.9.274 | |
Linux Linux kernel | >=4.10.0<4.14.238 | |
Linux Linux kernel | >=4.15.0<4.19.196 | |
Linux Linux kernel | >=4.20.0<5.4.127 | |
Linux Linux kernel | >=5.5.0<5.10.45 | |
Linux Linux kernel | >=5.11.0<5.12.12 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.