Bug 2069408 (CVE-2022-27950) - CVE-2022-27950 kernel: memory leak in drivers/hid/hid-elo.c
Summary: CVE-2022-27950 kernel: memory leak in drivers/hid/hid-elo.c
Keywords:
Status: NEW
Alias: CVE-2022-27950
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2069409 2073833 2073834
Blocks: 2069410
TreeView+ depends on / blocked
 
Reported: 2022-03-28 20:44 UTC by Pedro Sampaio
Modified: 2022-11-08 10:09 UTC (History)
46 users (show)

Fixed In Version: kernel 5.17 rc5
Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in elo_probe in drivers/hid/hid-elo.c in the Human Interface Devices (HID) in the Linux kernel. This issue allows an attacker to cause a denial of service when hid_parse() in elo_probe() fails.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7444 0 None None None 2022-11-08 09:09:57 UTC
Red Hat Product Errata RHSA-2022:7683 0 None None None 2022-11-08 10:09:14 UTC

Comment 1 Pedro Sampaio 2022-03-28 20:45:32 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2069409]

Comment 2 Justin M. Forbes 2022-03-31 21:25:36 UTC
This was fixed for Fedora with the 5.16.11 stable kernel updates.

Comment 8 Benjamin Tissoires 2022-05-10 13:11:48 UTC
OK, thanks, but I need to express my rant here:

For reference: https://lore.kernel.org/linux-input/nycvar.YFH.7.76.2202171420080.11721@cbobk.fhfr.pm/

- in July 2021, commit fbf42729d0e913 was introduced, but while it was taken by the HID maintainers, Greg KH, the USB maintainer rejected the same series because: 1. it's useless, and 2. it was buggy
(unfortunately, we didn't caught the bug in the HID tree)
- in Jan 2022, commit 817b8b9c5396d (the one referenced by this "CVE") was submitted and accepted, because it obviously fixed the bug from above.
- Meanwhile, Alan Stern caught the same bug and solved it properly by reverting fbf42729d0e913
- a discussion happened (lore link from above) and the consensus was to revert both fbf42729d0e913 and 817b8b9c5396d because they are wrong
- that decision happened on the 17 Feb 2022
- then, on https://www.openwall.com/lists/oss-security/2022/03/13/1, we see that the person who tried to fixed the bug created a CVE for it, ONE MONTH LATER

I do not know the motivations of that person, but the patch had already made it to stable, and IMO is *not* a memory leak, because we are just keeping a reference on the USB device, and can't use it outside of the scope of the module. It will probably mess up the system when the device gets disconnected, but to trigger a DoS on the machine we need: to plug/unplug the forged device a certain amount of time, or script that with virtual USB devices, in which case you need root access to do it.

So as stated by the prodsec team, the impact is definitively not high, maybe moderate (but more likely low IMO).

I'll fix the rhel8 commit in the same way upstream did (reverting those 2 commits), but still, this is messed up.

Comment 14 errata-xmlrpc 2022-11-08 09:09:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444

Comment 15 errata-xmlrpc 2022-11-08 10:09:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683


Note You need to log in before you can comment on or make changes to this bug.