Bug 2333971 (CVE-2024-53150)

Summary: CVE-2024-53150 kernel: ALSA: usb-audio: Fix out of bounds reads when finding clock sources
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, klaas, michael.h.hall-1, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's USB Audio driver. This flaw can allow an attacker with physical access to the system to use a malicious USB device to gain additional access. This is possible by reading arbitrary system memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-12-24 12:01:27 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

The current USB-audio driver code doesn't check bLength of each
descriptor at traversing for clock descriptors.  That is, when a
device provides a bogus descriptor with a shorter bLength, the driver
might hit out-of-bounds reads.

For addressing it, this patch adds sanity checks to the validator
functions for the clock descriptor traversal.  When the descriptor
length is shorter than expected, it's skipped in the loop.

For the clock source and clock multiplier descriptors, we can just
check bLength against the sizeof() of each descriptor type.
OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
of bNrInPins elements and two more fields at its tail, hence those
have to be checked in addition to the sizeof() check.
Comment 1 Mauro Matteo Cascella 2024-12-24 14:16:17 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024122427-CVE-2024-53150-3a7d@gregkh/T
Comment 2 Robb Gatica 2025-04-09 20:22:01 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024122427-CVE-2024-53150-3a7d@gregkh/T
Comment 3 Klaas Demter 2025-04-10 11:11:10 UTC 
This has been added to the CISAs "Known Exploited Vulnerabilities" list. Any plans to address this in supported RHELs?
https://www.cisa.gov/news-events/alerts/2025/04/09/cisa-adds-two-known-exploited-vulnerabilities-catalog
Comment 4 errata-xmlrpc 2025-04-14 01:20:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:3827 https://access.redhat.com/errata/RHSA-2025:3827
Comment 5 errata-xmlrpc 2025-04-14 08:06:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:3832 https://access.redhat.com/errata/RHSA-2025:3832
Comment 6 errata-xmlrpc 2025-04-14 10:49:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:3839 https://access.redhat.com/errata/RHSA-2025:3839
Comment 7 errata-xmlrpc 2025-04-14 10:49:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:3838 https://access.redhat.com/errata/RHSA-2025:3838
Comment 8 errata-xmlrpc 2025-04-14 15:11:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:3861 https://access.redhat.com/errata/RHSA-2025:3861
Comment 9 errata-xmlrpc 2025-04-15 01:33:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:3871 https://access.redhat.com/errata/RHSA-2025:3871
Comment 10 errata-xmlrpc 2025-04-15 02:03:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:3880 https://access.redhat.com/errata/RHSA-2025:3880
Comment 11 errata-xmlrpc 2025-04-15 09:08:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:3887 https://access.redhat.com/errata/RHSA-2025:3887
Comment 12 errata-xmlrpc 2025-04-15 09:09:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3889 https://access.redhat.com/errata/RHSA-2025:3889
Comment 13 errata-xmlrpc 2025-04-15 09:09:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3888 https://access.redhat.com/errata/RHSA-2025:3888
Comment 14 errata-xmlrpc 2025-04-15 09:46:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3894 https://access.redhat.com/errata/RHSA-2025:3894
Comment 15 errata-xmlrpc 2025-04-15 09:50:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3893 https://access.redhat.com/errata/RHSA-2025:3893
Comment 16 errata-xmlrpc 2025-04-15 11:38:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:3901 https://access.redhat.com/errata/RHSA-2025:3901
Comment 17 errata-xmlrpc 2025-04-15 11:52:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2025:3903 https://access.redhat.com/errata/RHSA-2025:3903
Comment 18 errata-xmlrpc 2025-04-15 20:43:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support  - EXTENSION

Via RHSA-2025:3931 https://access.redhat.com/errata/RHSA-2025:3931
Comment 19 errata-xmlrpc 2025-04-16 03:11:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3935 https://access.redhat.com/errata/RHSA-2025:3935
Comment 20 errata-xmlrpc 2025-04-16 07:00:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3937 https://access.redhat.com/errata/RHSA-2025:3937
Comment 21 errata-xmlrpc 2025-04-22 23:52:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4019 https://access.redhat.com/errata/RHSA-2025:4019
Comment 22 errata-xmlrpc 2025-04-23 12:41:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4012 https://access.redhat.com/errata/RHSA-2025:4012
Comment 23 errata-xmlrpc 2025-04-30 07:12:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:4177 https://access.redhat.com/errata/RHSA-2025:4177
Comment 25 errata-xmlrpc 2025-05-08 19:54:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:4409 https://access.redhat.com/errata/RHSA-2025:4409
Comment 26 errata-xmlrpc 2025-05-08 19:55:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:4422 https://access.redhat.com/errata/RHSA-2025:4422