2298175 – (CVE-2022-48834) CVE-2022-48834 kernel: usb: usbtmc: Fix bug in pipe direction for control transfers

Bug 2298175 (CVE-2022-48834) - CVE-2022-48834 kernel: usb: usbtmc: Fix bug in pipe direction for control transfers

Summary: CVE-2022-48834 kernel: usb: usbtmc: Fix bug in pipe direction for control tra...

Keywords:
Status:	NEW
Alias:	CVE-2022-48834
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-16 13:21 UTC by OSIDB Bzimport
Modified:	2024-08-30 12:36 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kernel 5.4.187, kernel 5.10.108, kernel 5.15.31, kernel 5.16.17, kernel 5.17
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-16 13:21:00 UTC

In the Linux kernel, the following vulnerability has been resolved:

usb: usbtmc: Fix bug in pipe direction for control transfers

The syzbot fuzzer reported a minor bug in the usbtmc driver:

usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0
WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412
usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410
Modules linked in:
CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted
5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0
...
Call Trace:
 <TASK>
 usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58
 usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
 usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153
 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]

The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for
all of its transfers, whether they are in or out.  It's easy to fix.

Note You need to log in before you can comment on or make changes to this bug.