Bug 1227989 (CVE-2022-48836)

Summary: VUL-0: CVE-2022-48836: kernel: Input: aiptek - properly check endpoint type
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, jkosina, miroslav.franc, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/414254/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-48836:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-17 07:38:02 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Input: aiptek - properly check endpoint type

Syzbot reported warning in usb_submit_urb() which is caused by wrong
endpoint type. There was a check for the number of endpoints, but not
for the type of endpoint.

Fix it by replacing old desc.bNumEndpoints check with
usb_find_common_endpoints() helper for finding endpoints

Fail log:

usb 5-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: usb_hub_wq hub_event
...
Call Trace:
 <TASK>
 aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830
 input_open_device+0x1bb/0x320 drivers/input/input.c:629
 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48836
https://www.cve.org/CVERecord?id=CVE-2022-48836
https://git.kernel.org/stable/c/35069e654bcab567ff8b9f0e68e1caf82c15dcd7
https://git.kernel.org/stable/c/5600f6986628dde8881734090588474f54a540a8
https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821
https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f
https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c
https://git.kernel.org/stable/c/e762f57ff255af28236cd02ca9fc5c7e5a089d31
https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a
https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2022/CVE-2022-48836.mbox
https://bugzilla.redhat.com/show_bug.cgi?id=2298177
Comment 2 Takashi Iwai 2024-07-19 08:21:54 UTC 
The fix backported to SLE12-SP3-TD branch.
Since SLE12-SP3-TD branch has no helper usb_find_common_endpoints(), it had to be implemented in a slightly different manner, though.