CVE-2023-4010
usb: hcd: malformed USB descriptor leads to infinite loop in usb_giveback_urb()
References
Notes
bwh> The description on GitHub talks about an incorrect goto, which
bwh> seems to match the bug fixed by commit 26c6c2f8a907 "USB: HCD:
bwh> Fix URB giveback issue in tasklet function", but since that was
bwh> applied in version 6.0 and the issue is said to affect 6.3.7 I
bwh> think the reporter may have confused two different issues.
bwh>
bwh> The specific USB descriptors shown there match the module device
bwh> table for the imon driver, but include only 1 interface whereas a
bwh> real device should have 2. A bug in imon relating to such invalid
bwh> descriptors was fixed by commit a1766a4fd83b "media: imon: fix
bwh> access to invalid resource for the second interface" but I don't
bwh> think it applies here as the single interface is numbered 0.
bwh>
bwh> So far as I can see, all that is being demonstrated here is that
bwh> a rogue USB device can cause a high rate of interrupts and in
bwh> some cases a high rate of serial logging. I don't think this is
bwh> particularly interesting or needs to be fixed.
Bugs
Status
| Branch |
Status |
| upstream |
|
| 6.18-upstream-stable |
|
| 6.17-upstream-stable |
|
| 6.12-upstream-stable |
|
| 6.6-upstream-stable |
|
| 6.1-upstream-stable |
|
| 5.10-upstream-stable |
|
| 4.19-upstream-stable |
|
| sid |
|
| 6.12-trixie-security |
|
| 6.1-bookworm-security |
|
| 5.10-bullseye-security |
|
| 4.19-buster-security |
|
