Bug 2069408 (CVE-2022-27950)
Summary: | CVE-2022-27950 kernel: memory leak in drivers/hid/hid-elo.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, bhu, bskeggs, btissoir, chwhite, crwood, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, vkumar, walters, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kernel 5.17 rc5 | Doc Type: | If docs needed, set a value |
Doc Text: |
A memory leak flaw was found in elo_probe in drivers/hid/hid-elo.c in the Human Interface Devices (HID) in the Linux kernel. This issue allows an attacker to cause a denial of service when hid_parse() in elo_probe() fails.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-12-04 03:03:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2069409, 2073833, 2073834 | ||
Bug Blocks: | 2069410 |
Description
Pedro Sampaio
2022-03-28 20:44:57 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2069409] This was fixed for Fedora with the 5.16.11 stable kernel updates. OK, thanks, but I need to express my rant here: For reference: https://lore.kernel.org/linux-input/nycvar.YFH.7.76.2202171420080.11721@cbobk.fhfr.pm/ - in July 2021, commit fbf42729d0e913 was introduced, but while it was taken by the HID maintainers, Greg KH, the USB maintainer rejected the same series because: 1. it's useless, and 2. it was buggy (unfortunately, we didn't caught the bug in the HID tree) - in Jan 2022, commit 817b8b9c5396d (the one referenced by this "CVE") was submitted and accepted, because it obviously fixed the bug from above. - Meanwhile, Alan Stern caught the same bug and solved it properly by reverting fbf42729d0e913 - a discussion happened (lore link from above) and the consensus was to revert both fbf42729d0e913 and 817b8b9c5396d because they are wrong - that decision happened on the 17 Feb 2022 - then, on https://www.openwall.com/lists/oss-security/2022/03/13/1, we see that the person who tried to fixed the bug created a CVE for it, ONE MONTH LATER I do not know the motivations of that person, but the patch had already made it to stable, and IMO is *not* a memory leak, because we are just keeping a reference on the USB device, and can't use it outside of the scope of the module. It will probably mess up the system when the device gets disconnected, but to trigger a DoS on the machine we need: to plug/unplug the forged device a certain amount of time, or script that with virtual USB devices, in which case you need root access to do it. So as stated by the prodsec team, the impact is definitively not high, maybe moderate (but more likely low IMO). I'll fix the rhel8 commit in the same way upstream did (reverting those 2 commits), but still, this is messed up. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-27950 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1188 https://access.redhat.com/errata/RHSA-2024:1188 |