Bug 2063718 (CVE-2022-26966)

Summary: CVE-2022-26966 kernel: heap memory leak in drivers/net/usb/sr9700.c
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, chwhite, crwood, dfreiber, dvlasenk, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rkeshri, rogbas, rvrbovsk, scweaver, steved, vkumar, walters, williams, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.17 rc6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2072673, 2072674, 2072675, 2072676, 2072677, 2072678, 2075413, 2075414, 2178486, 2178487    
Bug Blocks: 2063721    

Description TEJ RATHI 2022-03-14 08:46:05 UTC 
An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9da0b56fe27206b49f39805f7dcda8a89379062
Comment 2 Rohit Keshri 2022-04-06 18:25:05 UTC 
There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.
Comment 10 Jan Stancek 2022-12-05 10:13:58 UTC 
(In reply to Rohit Keshri from comment #2)
> These files are not built in our source code.

Recent aarch64 kernel has sr9700 module enabled:

$ wget http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/kernel/5.14.0/205.el9/aarch64/kernel-core-5.14.0-205.el9.aarch64.rpm
$ rpm2cpio kernel-core-5.14.0-205.el9.aarch64.rpm | cpio -id
$ grep SR9700 lib/modules/5.14.0-205.el9.aarch64/config
CONFIG_USB_NET_SR9700=m

$ readelf -a lib/modules/5.14.0-205.el9.aarch64/kernel/drivers/net/usb/sr9700.ko | grep sr9700_rx_fixup
    38: 0000000000000010   304 FUNC    LOCAL  DEFAULT    3 sr9700_rx_fixup
Comment 16 Rohit Keshri 2023-03-15 05:22:03 UTC 
In reply to comment #10:
> (In reply to Rohit Keshri from comment #2)
> > These files are not built in our source code.
> 
> Recent aarch64 kernel has sr9700 module enabled:
> 
> $ wget
> http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/kernel/5.14.
> 0/205.el9/aarch64/kernel-core-5.14.0-205.el9.aarch64.rpm
> $ rpm2cpio kernel-core-5.14.0-205.el9.aarch64.rpm | cpio -id
> $ grep SR9700 lib/modules/5.14.0-205.el9.aarch64/config
> CONFIG_USB_NET_SR9700=m
> 
> $ readelf -a
> lib/modules/5.14.0-205.el9.aarch64/kernel/drivers/net/usb/sr9700.ko | grep
> sr9700_rx_fixup
>     38: 0000000000000010   304 FUNC    LOCAL  DEFAULT    3 sr9700_rx_fixup

Thank you Jan, I have made the adjustment.