Bug 2135717 (CVE-2022-3577) - CVE-2022-3577 kernel: HID: bigben: slab-out-of-bounds Write in bigben_probe
Summary: CVE-2022-3577 kernel: HID: bigben: slab-out-of-bounds Write in bigben_probe
Alias: CVE-2022-3577
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2135718
Blocks: 2127143
TreeView+ depends on / blocked
Reported: 2022-10-18 09:05 UTC by Alex
Modified: 2023-02-11 18:54 UTC (History)
40 users (show)

Fixed In Version: Linux kernel 5.19-rc1
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory write flaw was found in the Linux kernel’s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Last Closed: 2022-11-30 09:28:01 UTC

Attachments (Terms of Use)

Description Alex 2022-10-18 09:05:58 UTC
A flaw in the Linux Kernel found in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write or even code execution. To exploit the vulnerability, one must have a malicious device that does not have any inputs.


Comment 1 Alex 2022-10-18 09:06:22 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2135718]

Comment 2 Alex 2022-10-18 09:12:46 UTC
Apart from this vulnerability, two other memory leak vulnerabilities were reported together with this one.
All 3 vulnerabilities actual only if some specific hardware being used (that not supported by Red Hat Enterprise Linux, so all version of Red Hat Linux not affected by any of these 3).

The other two are:

In drivers/android/binderfs.c of Linux kernel before 5.16.11, the failure of d_make_root does not initialize s_root, leading to memory leak and refcount unbalance. To exploit the vulnerability, one must craft a syscall sequence to trigger an allocation failure in binderfs_fill_super.

pvr2_hdw_create in drivers/media/usb/pvrusb2/pvrusb2-hdw.c in Linux kernel through 5.19 misses the error handling and forgets to unregister the v4l2 device, leading to refcount unbalance and memory leak issue. To exploit the vulnerability, one must craft a syscall sequence to execute the error handling code.

Comment 3 Justin M. Forbes 2022-10-24 14:21:12 UTC
This was fixed for Fedora with the 5.17.14 stable kernel updates.

Comment 4 Product Security DevOps Team 2022-11-30 09:27:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.