Bug 2347990 (CVE-2022-49051) - CVE-2022-49051 kernel: net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
Summary: CVE-2022-49051 kernel: net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
Keywords:
Status: NEW
Alias: CVE-2022-49051
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-26 03:13 UTC by OSIDB Bzimport
Modified: 2025-02-26 20:19 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-26 03:13:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: usb: aqc111: Fix out-of-bounds accesses in RX fixup

aqc111_rx_fixup() contains several out-of-bounds accesses that can be
triggered by a malicious (or defective) USB device, in particular:

 - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,
   causing OOB reads and (on big-endian systems) OOB endianness flips.
 - A packet can overlap the metadata array, causing a later OOB
   endianness flip to corrupt data used by a cloned SKB that has already
   been handed off into the network stack.
 - A packet SKB can be constructed whose tail is far beyond its end,
   causing out-of-bounds heap data to be considered part of the SKB's
   data.

Found doing variant analysis. Tested it with another driver (ax88179_178a), since
I don't have a aqc111 device to test it, but the code looks very similar.
Comment 1 Avinash Hanwate 2025-02-26 20:12:06 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022651-CVE-2022-49051-08bd@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.