ghsa-w58q-m7pq-48p4
Vulnerability from github
Published
2025-03-10 21:31
Modified
2025-03-10 21:31
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: isp1760: Fix out-of-bounds array access

Running the driver through kasan gives an interesting splat:

BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1 (...) isp1760_register from isp1760_plat_probe+0x1d8/0x220 (...)

This happens because the loop reading the regmap fields for the different ISP1760 variants look like this:

for (i = 0; i < HC_FIELD_MAX; i++) { ... }

Meaning it expects the arrays to be at least HC_FIELD_MAX - 1 long.

However the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[], isp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are dynamically sized during compilation.

Fix this by putting an empty assignment to the [HC_FIELD_MAX] and [DC_FIELD_MAX] array member at the end of each array. This will make the array one member longer than it needs to be, but avoids the risk of overwriting whatever is inside [HC_FIELD_MAX - 1] and is simple and intuitive to read. Also add comments explaining what is going on.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2022-49551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:30Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: isp1760: Fix out-of-bounds array access\n\nRunning the driver through kasan gives an interesting splat:\n\n  BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c\n  Read of size 20 at addr f1db2e64 by task swapper/0/1\n  (...)\n  isp1760_register from isp1760_plat_probe+0x1d8/0x220\n  (...)\n\nThis happens because the loop reading the regmap fields for the\ndifferent ISP1760 variants look like this:\n\n  for (i = 0; i \u003c HC_FIELD_MAX; i++) { ... }\n\nMeaning it expects the arrays to be at least HC_FIELD_MAX - 1 long.\n\nHowever the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[],\nisp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are\ndynamically sized during compilation.\n\nFix this by putting an empty assignment to the [HC_FIELD_MAX]\nand [DC_FIELD_MAX] array member at the end of each array.\nThis will make the array one member longer than it needs to be,\nbut avoids the risk of overwriting whatever is inside\n[HC_FIELD_MAX - 1] and is simple and intuitive to read. Also\nadd comments explaining what is going on.",
  "id": "GHSA-w58q-m7pq-48p4",
  "modified": "2025-03-10T21:31:09Z",
  "published": "2025-03-10T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49551"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26ae2c942b5702f2e43d36b2a4389cfb7d616b6a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/463bddd3ff1acf4036ddb80c34a715eb99debf46"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47d39cb57e8669e507d17d9e0d067d2b3e3a87ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf2558bbdce3ab1d6bcba09f354914e4515d0a2b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…