fkie_cve-2024-36895
Vulnerability from fkie_nvd
Published
2024-05-30 16:15
Modified
2024-11-21 09:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: use correct buffer size when parsing configfs lists This commit fixes uvc gadget support on 32-bit platforms. Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for reuse") introduced a helper function __uvcg_iter_item_entries() to aid with parsing lists of items on configfs attributes stores. This function is a generalization of another very similar function, which used a stack-allocated temporary buffer of fixed size for each item in the list and used the sizeof() operator to check for potential buffer overruns. The new function was changed to allocate the now variably sized temp buffer on heap, but wasn't properly updated to also check for max buffer size using the computed size instead of sizeof() operator. As a result, the maximum item size was 7 (plus null terminator) on 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just barely enough, 3 is definitely too small for some of UVC configfs attributes. For example, dwFrameInteval, specified in 100ns units, usually has 6-digit item values, e.g. 166666 for 60fps.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528
Impacted products
Vendor Product Version


To clipboard 

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: use correct buffer size when parsing configfs lists\n\nThis commit fixes uvc gadget support on 32-bit platforms.\n\nCommit 0df28607c5cb (\"usb: gadget: uvc: Generalise helper functions for\nreuse\") introduced a helper function __uvcg_iter_item_entries() to aid\nwith parsing lists of items on configfs attributes stores. This function\nis a generalization of another very similar function, which used a\nstack-allocated temporary buffer of fixed size for each item in the list\nand used the sizeof() operator to check for potential buffer overruns.\nThe new function was changed to allocate the now variably sized temp\nbuffer on heap, but wasn't properly updated to also check for max buffer\nsize using the computed size instead of sizeof() operator.\n\nAs a result, the maximum item size was 7 (plus null terminator) on\n64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just\nbarely enough, 3 is definitely too small for some of UVC configfs\nattributes. For example, dwFrameInteval, specified in 100ns units,\nusually has 6-digit item values, e.g. 166666 for 60fps.",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se resolvió la siguiente vulnerabilidad: usb: gadget: uvc: use el tamaño de búfer correcto al analizar listas de configfs. Este commit corrige la compatibilidad con gadgets uvc en plataformas de 32 bits. El commit 0df28607c5cb (\"usb: gadget: uvc: Generalizar funciones auxiliares para su reutilización\") introdujo una función auxiliar __uvcg_iter_item_entries() para ayudar con el análisis de listas de elementos en las tiendas de atributos de configfs. Esta función es una generalización de otra función muy similar, que utilizaba un búfer temporal de tamaño fijo asignado por la pila para cada elemento de la lista y utilizaba el operador sizeof() para comprobar posibles desbordamientos del búfer. La nueva función se cambió para asignar el búfer temporal ahora de tamaño variable en el montón, pero no se actualizó correctamente para verificar también el tamaño máximo del búfer usando el tamaño calculado en lugar del operador sizeof(). Como resultado, el tamaño máximo de elemento fue 7 (más terminador nulo) en plataformas de 64 bits y 3 en plataformas de 32 bits. Si bien 7 accidentalmente es apenas suficiente, 3 es definitivamente demasiado pequeño para algunos de los atributos de configuración de UVC. Por ejemplo, dwFrameInteval, especificado en unidades de 100 ns, normalmente tiene valores de elementos de 6 dígitos, por ejemplo, 166666 para 60 fps.",
      },
   ],
   id: "CVE-2024-36895",
   lastModified: "2024-11-21T09:22:45.450",
   metrics: {},
   published: "2024-05-30T16:15:12.937",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Awaiting Analysis",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.