ghsa-w58q-m7pq-48p4
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
usb: isp1760: Fix out-of-bounds array access
Running the driver through kasan gives an interesting splat:
BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1 (...) isp1760_register from isp1760_plat_probe+0x1d8/0x220 (...)
This happens because the loop reading the regmap fields for the different ISP1760 variants look like this:
for (i = 0; i < HC_FIELD_MAX; i++) { ... }
Meaning it expects the arrays to be at least HC_FIELD_MAX - 1 long.
However the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[], isp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are dynamically sized during compilation.
Fix this by putting an empty assignment to the [HC_FIELD_MAX] and [DC_FIELD_MAX] array member at the end of each array. This will make the array one member longer than it needs to be, but avoids the risk of overwriting whatever is inside [HC_FIELD_MAX - 1] and is simple and intuitive to read. Also add comments explaining what is going on.
{
"affected": [],
"aliases": [
"CVE-2022-49551"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:30Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: isp1760: Fix out-of-bounds array access\n\nRunning the driver through kasan gives an interesting splat:\n\n BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c\n Read of size 20 at addr f1db2e64 by task swapper/0/1\n (...)\n isp1760_register from isp1760_plat_probe+0x1d8/0x220\n (...)\n\nThis happens because the loop reading the regmap fields for the\ndifferent ISP1760 variants look like this:\n\n for (i = 0; i \u003c HC_FIELD_MAX; i++) { ... }\n\nMeaning it expects the arrays to be at least HC_FIELD_MAX - 1 long.\n\nHowever the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[],\nisp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are\ndynamically sized during compilation.\n\nFix this by putting an empty assignment to the [HC_FIELD_MAX]\nand [DC_FIELD_MAX] array member at the end of each array.\nThis will make the array one member longer than it needs to be,\nbut avoids the risk of overwriting whatever is inside\n[HC_FIELD_MAX - 1] and is simple and intuitive to read. Also\nadd comments explaining what is going on.",
"id": "GHSA-w58q-m7pq-48p4",
"modified": "2025-03-10T21:31:09Z",
"published": "2025-03-10T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49551"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26ae2c942b5702f2e43d36b2a4389cfb7d616b6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/463bddd3ff1acf4036ddb80c34a715eb99debf46"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47d39cb57e8669e507d17d9e0d067d2b3e3a87ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf2558bbdce3ab1d6bcba09f354914e4515d0a2b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.