2063718 – (CVE-2022-26966) CVE-2022-26966 kernel: heap memory leak in drivers/net/usb/sr9700.c

Bug 2063718 (CVE-2022-26966) - CVE-2022-26966 kernel: heap memory leak in drivers/net/usb/sr9700.c

Summary: CVE-2022-26966 kernel: heap memory leak in drivers/net/usb/sr9700.c

Keywords:
Status:	NEW
Alias:	CVE-2022-26966
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2072673 2072674 2072675 2072676 2072677 2072678 2075413 2075414 2178486 2178487
Blocks:	2063721
TreeView+	depends on / blocked

Reported:	2022-03-14 08:46 UTC by TEJ RATHI
Modified:	2023-10-09 11:35 UTC (History)
CC List:	47 users (show)
Fixed In Version:	kernel 5.17 rc6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2022-03-14 08:46:05 UTC

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9da0b56fe27206b49f39805f7dcda8a89379062

Comment 2 Rohit Keshri 2022-04-06 18:25:05 UTC

There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.

Comment 10 Jan Stancek 2022-12-05 10:13:58 UTC

(In reply to Rohit Keshri from comment #2)
> These files are not built in our source code.

Recent aarch64 kernel has sr9700 module enabled:

$ wget http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/kernel/5.14.0/205.el9/aarch64/kernel-core-5.14.0-205.el9.aarch64.rpm
$ rpm2cpio kernel-core-5.14.0-205.el9.aarch64.rpm | cpio -id
$ grep SR9700 lib/modules/5.14.0-205.el9.aarch64/config
CONFIG_USB_NET_SR9700=m

$ readelf -a lib/modules/5.14.0-205.el9.aarch64/kernel/drivers/net/usb/sr9700.ko | grep sr9700_rx_fixup
    38: 0000000000000010   304 FUNC    LOCAL  DEFAULT    3 sr9700_rx_fixup

Comment 16 Rohit Keshri 2023-03-15 05:22:03 UTC

In reply to comment #10:
> (In reply to Rohit Keshri from comment #2)
> > These files are not built in our source code.
> 
> Recent aarch64 kernel has sr9700 module enabled:
> 
> $ wget
> http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/kernel/5.14.
> 0/205.el9/aarch64/kernel-core-5.14.0-205.el9.aarch64.rpm
> $ rpm2cpio kernel-core-5.14.0-205.el9.aarch64.rpm | cpio -id
> $ grep SR9700 lib/modules/5.14.0-205.el9.aarch64/config
> CONFIG_USB_NET_SR9700=m
> 
> $ readelf -a
> lib/modules/5.14.0-205.el9.aarch64/kernel/drivers/net/usb/sr9700.ko | grep
> sr9700_rx_fixup
>     38: 0000000000000010   304 FUNC    LOCAL  DEFAULT    3 sr9700_rx_fixup

Thank you Jan, I have made the adjustment.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
airlied
alciregi
bdettelb
bhu
chwhite
crwood
dfreiber
dvlasenk
hdegoede
hkrzesin
jarod
jarodwilson
jburrell
jeremy
jfaracco
jforbes
jglisse
jlelli
joe.lawrence
jonathan
josef
jshortt
jstancek
jwboyer
jwyatt
kcarcia
kernel-maint
kernel-mgr
lgoncalv
linville
lzampier
masami256
mchehab
nmurray
ptalbert
qzhao
rkeshri
rogbas
rvrbovsk
scweaver
steved
vkumar
walters
williams
zulinx86