Bugzilla – Bug 1214030
VUL-0: CVE-2023-4010: kernel: malformed USB descriptor leads to infinite loop in usb_giveback_urb()
Last modified: 2024-05-21 14:21:18 UTC
CVE-2023-4010 The usb_giveback_urb function in the linux kernel has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, and it falls into an endless loop and occupies CPU resources, resulting in a denial of service attack. Reference: https://github.com/wanrenmi/a-usb-kernel-bug References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 https://bugzilla.redhat.com/show_bug.cgi?id=2227726 https://www.cve.org/CVERecord?id=CVE-2023-4010 https://access.redhat.com/security/cve/CVE-2023-4010 https://github.com/wanrenmi/a-usb-kernel-bug
Gently ping. Are there any news about the fix, please?
Oliver, this security bug is untouched for almost 6 months. Can you please have a look?
For the record: The device descriptor decodes to: blength 0x12 (correct) bDescriptorType 0x01 (correct) bcdUSB 0x0000 (incorrect) bDeviceClass 0xe4 bDeviceSubClass 0x2d bDeviceProtocol 0xcb bMaxPacketSize0 0x08 idVendor 0x15c2 idProduct 0x003d bcdDevice 0xc409 iManufacturer 01 iSerialNumber 03 iNumConfigurations 01 configuration descriptor: blength 0x09 bDescriptorType 0x02 (correct) wTotalLength 0x002d bNumInterfaces 0x01 bConfigurationValue 0x00 iConfiguration 0x00 bmAttributes 0x00 (this is not good) bMaxPower 0x00 So far some serious odiities, but survivable
Then we have an interface descriptor that claims to have three endpoints and there we arrive at the culprit. All of them are malformed and two of them are for the same endpoint.