Bug 2135717 (CVE-2022-3577) - CVE-2022-3577 kernel: HID: bigben: slab-out-of-bounds Write in bigben_probe
Summary: CVE-2022-3577 kernel: HID: bigben: slab-out-of-bounds Write in bigben_probe
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-3577
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2135718
Blocks: 2127143
TreeView+ depends on / blocked
 
Reported: 2022-10-18 09:05 UTC by Alex
Modified: 2023-02-11 18:54 UTC (History)
40 users (show)

Fixed In Version: Linux kernel 5.19-rc1
Clone Of:
Environment:
Last Closed: 2022-11-30 09:28:01 UTC
Embargoed:


Attachments (Terms of Use)

Description Alex 2022-10-18 09:05:58 UTC
A flaw in the Linux Kernel found in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write or even code execution. To exploit the vulnerability, one must have a malicious device that does not have any inputs.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc4ef9d5724973193bfa5ebed181dba6de3a56db

Comment 1 Alex 2022-10-18 09:06:22 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2135718]

Comment 2 Alex 2022-10-18 09:12:46 UTC
Apart from this vulnerability, two other memory leak vulnerabilities were reported together with this one.
All 3 vulnerabilities actual only if some specific hardware being used (that not supported by Red Hat Enterprise Linux, so all version of Red Hat Linux not affected by any of these 3).

The other two are:

In drivers/android/binderfs.c of Linux kernel before 5.16.11, the failure of d_make_root does not initialize s_root, leading to memory leak and refcount unbalance. To exploit the vulnerability, one must craft a syscall sequence to trigger an allocation failure in binderfs_fill_super.
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/commit/?h=char-misc-next&id=9d64d2405f7d30d49818f6682acd0392348f0fdb

pvr2_hdw_create in drivers/media/usb/pvrusb2/pvrusb2-hdw.c in Linux kernel through 5.19 misses the error handling and forgets to unregister the v4l2 device, leading to refcount unbalance and memory leak issue. To exploit the vulnerability, one must craft a syscall sequence to execute the error handling code.
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=945a9a8e448b65bec055d37eba58f711b39f66f0

Comment 3 Justin M. Forbes 2022-10-24 14:21:12 UTC
This was fixed for Fedora with the 5.17.14 stable kernel updates.

Comment 4 Product Security DevOps Team 2022-11-30 09:27:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3577


Note You need to log in before you can comment on or make changes to this bug.