|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2022-48806: kernel: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Kernel Bugs <kernel-bugs> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | gianluca.gabrielli |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/414219/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Description =========== In the Linux kernel, the following vulnerability has been resolved: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size") revealed that ee1004_eeprom_read() did not properly limit how many bytes to read at once. In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the length to read as an u8. If count == 256 after taking into account the offset and page boundary, the cast to u8 overflows. And this is common when user space tries to read the entire EEPROM at once. To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows. The Linux kernel CVE team has assigned CVE-2022-48806 to this issue. Affected and fixed versions =========================== Issue introduced in 5.4.174 with commit aca56c298e2a and fixed in 5.4.180 with commit 3937c35493ee Issue introduced in 5.10.94 with commit 25714ad6bf5e and fixed in 5.10.101 with commit a37960df7eac Issue introduced in 5.15.17 with commit be9313f755a7 and fixed in 5.15.24 with commit 9a5f471ae380 Issue introduced in 5.16.3 with commit 07d9beb6e3c2 and fixed in 5.16.10 with commit 9443ddeb3754 Issue introduced in 4.4.300 with commit 74650c34f930 Issue introduced in 4.9.298 with commit a126a8c3dd51 Issue introduced in 4.14.263 with commit 202d0e22fe51 Issue introduced in 4.19.226 with commit 7414af7bdad9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-48806 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/misc/eeprom/ee1004.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49 https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345 https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48806 https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2022/CVE-2022-48806.mbox https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49 https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345 https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708