Bug 1214030 (CVE-2023-4010)

Summary: VUL-0: CVE-2023-4010: kernel: malformed USB descriptor leads to infinite loop in usb_giveback_urb()
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Oliver Neukum <oneukum>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, jack, meissner, mhocko, pmladek, security-team, vasant.karasulli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373859/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4010:4.6:(AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-08-07 13:11:39 UTC 
CVE-2023-4010

The usb_giveback_urb function in the linux kernel has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, and it falls into an endless loop and occupies CPU resources, resulting in a denial of service attack.

Reference:
https://github.com/wanrenmi/a-usb-kernel-bug

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010
https://bugzilla.redhat.com/show_bug.cgi?id=2227726
https://www.cve.org/CVERecord?id=CVE-2023-4010
https://access.redhat.com/security/cve/CVE-2023-4010
https://github.com/wanrenmi/a-usb-kernel-bug
Comment 3 Petr Mladek 2023-09-18 10:17:16 UTC 
Gently ping. Are there any news about the fix, please?
Comment 6 Jan Kara 2024-01-30 13:43:40 UTC 
Oliver, this security bug is untouched for almost 6 months. Can you please have a look?
Comment 7 Oliver Neukum 2024-03-27 11:22:56 UTC 
For the record:

The device descriptor decodes to:

blength 0x12 (correct)
bDescriptorType 0x01 (correct)
bcdUSB 0x0000 (incorrect)
bDeviceClass 0xe4
bDeviceSubClass 0x2d
bDeviceProtocol 0xcb
bMaxPacketSize0 0x08
idVendor 0x15c2
idProduct 0x003d
bcdDevice 0xc409
iManufacturer 01
iSerialNumber 03
iNumConfigurations 01

configuration descriptor:

blength 0x09
bDescriptorType 0x02 (correct)
wTotalLength 0x002d
bNumInterfaces 0x01
bConfigurationValue 0x00
iConfiguration 0x00
bmAttributes 0x00 (this is not good)
bMaxPower 0x00

So far some serious odiities, but survivable
Comment 8 Oliver Neukum 2024-03-27 12:43:18 UTC 
Then we have an interface descriptor that claims to have three endpoints and there we arrive at the culprit. All of them are malformed and two of them are for the same endpoint.