Bug 2069408 (CVE-2022-27950)

Summary: CVE-2022-27950 kernel: memory leak in drivers/hid/hid-elo.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, bskeggs, btissoir, chwhite, crwood, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.17 rc5 Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in elo_probe in drivers/hid/hid-elo.c in the Human Interface Devices (HID) in the Linux kernel. This issue allows an attacker to cause a denial of service when hid_parse() in elo_probe() fails.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-04 03:03:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2069409, 2073833, 2073834    
Bug Blocks: 2069410    

Description Pedro Sampaio 2022-03-28 20:44:57 UTC 
In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition.

https://www.openwall.com/lists/oss-security/2022/03/13/1
https://github.com/torvalds/linux/commit/817b8b9c5396d2b2d92311b46719aad5d3339dbe
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.11
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=817b8b9c5396d2b2d92311b46719aad5d3339dbe
Comment 1 Pedro Sampaio 2022-03-28 20:45:32 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2069409]
Comment 2 Justin M. Forbes 2022-03-31 21:25:36 UTC 
This was fixed for Fedora with the 5.16.11 stable kernel updates.
Comment 8 Benjamin Tissoires 2022-05-10 13:11:48 UTC 
OK, thanks, but I need to express my rant here:

For reference: https://lore.kernel.org/linux-input/nycvar.YFH.7.76.2202171420080.11721@cbobk.fhfr.pm/

- in July 2021, commit fbf42729d0e913 was introduced, but while it was taken by the HID maintainers, Greg KH, the USB maintainer rejected the same series because: 1. it's useless, and 2. it was buggy
(unfortunately, we didn't caught the bug in the HID tree)
- in Jan 2022, commit 817b8b9c5396d (the one referenced by this "CVE") was submitted and accepted, because it obviously fixed the bug from above.
- Meanwhile, Alan Stern caught the same bug and solved it properly by reverting fbf42729d0e913
- a discussion happened (lore link from above) and the consensus was to revert both fbf42729d0e913 and 817b8b9c5396d because they are wrong
- that decision happened on the 17 Feb 2022
- then, on https://www.openwall.com/lists/oss-security/2022/03/13/1, we see that the person who tried to fixed the bug created a CVE for it, ONE MONTH LATER

I do not know the motivations of that person, but the patch had already made it to stable, and IMO is *not* a memory leak, because we are just keeping a reference on the USB device, and can't use it outside of the scope of the module. It will probably mess up the system when the device gets disconnected, but to trigger a DoS on the machine we need: to plug/unplug the forged device a certain amount of time, or script that with virtual USB devices, in which case you need root access to do it.

So as stated by the prodsec team, the impact is definitively not high, maybe moderate (but more likely low IMO).

I'll fix the rhel8 commit in the same way upstream did (reverting those 2 commits), but still, this is messed up.
Comment 14 errata-xmlrpc 2022-11-08 09:09:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444
Comment 15 errata-xmlrpc 2022-11-08 10:09:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683
Comment 16 Product Security DevOps Team 2022-12-04 03:03:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-27950
Comment 19 errata-xmlrpc 2024-03-06 12:36:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1188 https://access.redhat.com/errata/RHSA-2024:1188