Bug 2227726 (CVE-2023-4010) - CVE-2023-4010 kernel: usb: hcd: malformed USB descriptor leads to infinite loop in usb_giveback_urb()
Summary: CVE-2023-4010 kernel: usb: hcd: malformed USB descriptor leads to infinite lo...
Keywords:
Status: NEW
Alias: CVE-2023-4010
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2227737 2227734 2227735 2227736 2227738
Blocks: 2227739
TreeView+ depends on / blocked
 
Reported: 2023-07-31 08:43 UTC by Mauro Matteo Cascella
Modified: 2024-01-30 14:54 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-07-31 08:43:39 UTC 
The usb_giveback_urb function in the linux kernel has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, and it falls into an endless loop and occupies CPU resources, resulting in a denial of service attack.

Reference:
https://github.com/wanrenmi/a-usb-kernel-bug
Comment 1 Mauro Matteo Cascella 2023-07-31 08:45:38 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2227737]
Note You need to log in before you can comment on or make changes to this bug.