2266270 – (CVE-2021-46906) CVE-2021-46906 kernel: info leak in hid_submit_ctrl

Bug 2266270 (CVE-2021-46906) - CVE-2021-46906 kernel: info leak in hid_submit_ctrl

Summary: CVE-2021-46906 kernel: info leak in hid_submit_ctrl

Keywords:
Status:	NEW
Alias:	CVE-2021-46906
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2266272
Blocks:	2266269
TreeView+	depends on / blocked

Reported:	2024-02-27 11:56 UTC by Rohit Keshri
Modified:	2024-03-13 12:15 UTC (History)
CC List:	49 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel. This issue is caused by an information leak in hid_submit_ctrl.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-02-27 11:56:04 UTC

In the Linux kernel, the following vulnerability has been resolved:

HID: usbhid: fix info leak in hid_submit_ctrl

In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.

To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().

https://git.kernel.org/stable/c/0e280502be1b003c3483ae03fc60dea554fcfa82
https://git.kernel.org/stable/c/21883bff0fd854e07429a773ff18f1e9658f50e8
https://git.kernel.org/stable/c/41b1e71a2c57366b08dcca1a28b0d45ca69429ce
https://git.kernel.org/stable/c/6be388f4a35d2ce5ef7dbf635a8964a5da7f799f
https://git.kernel.org/stable/c/7f5a4b24cdbd7372770a02f23e347d7d9a9ac8f1
https://git.kernel.org/stable/c/8c064eece9a51856f3f275104520c7e3017fc5c0
https://git.kernel.org/stable/c/b1e3596416d74ce95cc0b7b38472329a3818f8a9
https://git.kernel.org/stable/c/c5d3c142f2d57d40c55e65d5622d319125a45366

Comment 1 Rohit Keshri 2024-02-27 12:07:20 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2266272]

Comment 4 Justin M. Forbes 2024-02-27 19:09:34 UTC

This was fixed for Fedora with the 5.12.12 stable kernel updates.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
aquini
bhu
chwhite
cye
cyin
dbohanno
debarbos
dfreiber
drow
dvlasenk
esandeen
ezulian
hkrzesin
jarod
jburrell
jdenham
jfaracco
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
ldoskova
lgoncalv
lzampier
mleitner
mmilgram
mstowell
nmurray
ptalbert
rparrazo
rrobaina
rvrbovsk
rysulliv
scweaver
sukulkar
tglozar
tyberry
vkumar
wcosta
williams
wmealing
ycote
ykopkova
zhijwang