A vulnerability in the Linux kernel named CVE-2021-46906 has recently been identified and resolved. Due to an issue present in the calculation of report length, information leakage occurs in the hid_submit_ctrl() function. This vulnerability affects the Human Interface Device (HID) implementation in the Linux kernel and was discovered using the syzkaller fuzzer. This post outlines the exploit details, vulnerability analysis, and links to the original references.
Exploit Details
When running a syzkaller reproducer, a report with a size equal to causes the hid_submit_ctrl() function to calculate the transfer_buffer_length as 16384. When the URB (USB Request Block) is passed to the USB core layer, KMSAN (Kernel Memory Sanitizer) reports an information leak of 16384 bytes.
To successfully resolve this vulnerability, we must first modify the hid_report_len() function to account for the zero report size case by using the DIV_ROUND_UP macro for the division. Next, we must call this function from hid_submit_ctrl().
The following code snippet demonstrates the changes that have been implemented to fix the vulnerability:
static unsigned hid_report_len(const struct hid_report *report)
{
return DIV_ROUND_UP(report->size, 8) * (report->count ?: 1);
}
int hid_submit_ctrl(struct hid_device *hid)
{
...
int len = hid_report_len(report);
if (len > ) {
...
}
...
}
By accounting for the zero report size case using the DIV_ROUND_UP macro, the vulnerability CVE-2021-46906 has been addressed and the information leak is fixed.
The original patch submission for fixing this vulnerability can be found here
The official CVE entry can be found here
The Linux kernel source code can be found here
Conclusion
The discovery and resolution of this vulnerability, CVE-2021-46906, highlights the importance of using tools such as syzkaller for identifying potential weaknesses in software, especially in widely-used projects like the Linux kernel. By proactively addressing these vulnerabilities, we can provide better security for users and maintain the integrity of the systems they rely on.
Timeline
Published on: 02/26/2024 18:15:07 UTC
Last modified on: 04/17/2024 17:28:34 UTC