CVE-2024-36895

Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for reuse") introduced a helper function _uvcgiteritementries() to aid with parsing lists of items on configfs attributes stores. This function is a generalization of another very similar function, which used a stack-allocated temporary buffer of fixed size for each item in the list and used the sizeof() operator to check for potential buffer overruns. The new function was changed to allocate the now variably sized temp buffer on heap, but wasn't properly updated to also check for max buffer size using the computed size instead of sizeof() operator.

As a result, the maximum item size was 7 (plus null terminator) on 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just barely enough, 3 is definitely too small for some of UVC configfs attributes. For example, dwFrameInteval, specified in 100ns units, usually has 6-digit item values, e.g. 166666 for 60fps.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0df28607c5cb4fe60bba591e9858a8f7ba39aa4a

Fixed

7a54e5052bde582fd0e7677334fe7a5be92e242c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0df28607c5cb4fe60bba591e9858a8f7ba39aa4a

Fixed

a422089ce42ced73713e5032aad29a9a7cbe9528

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0df28607c5cb4fe60bba591e9858a8f7ba39aa4a

Fixed

650ae71c80749fc7cb8858c8049f532eaec64410

Affected versions

v6.*

v6.2

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.8.8

v6.8.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

Database specific

{
    "vanir_signatures": [
        {
            "target": {
                "file": "drivers/usb/gadget/function/uvc_configfs.c"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "14314674508150698922977878989121207265",
                    "11464264422696513298594681080235107990",
                    "334477389966469761398077334165591149350",
                    "122352443654176500083353699236039591472",
                    "250981068461575274356779195297559511271",
                    "281751052981474494822703816909619510386",
                    "36803488730217229464133726300207345166"
                ]
            },
            "id": "CVE-2024-36895-475d001f",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@650ae71c80749fc7cb8858c8049f532eaec64410"
        },
        {
            "target": {
                "file": "drivers/usb/gadget/function/uvc_configfs.c"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "14314674508150698922977878989121207265",
                    "11464264422696513298594681080235107990",
                    "334477389966469761398077334165591149350",
                    "122352443654176500083353699236039591472",
                    "250981068461575274356779195297559511271",
                    "281751052981474494822703816909619510386",
                    "36803488730217229464133726300207345166"
                ]
            },
            "id": "CVE-2024-36895-6a2fb585",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a422089ce42ced73713e5032aad29a9a7cbe9528"
        },
        {
            "target": {
                "file": "drivers/usb/gadget/function/uvc_configfs.c"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "14314674508150698922977878989121207265",
                    "11464264422696513298594681080235107990",
                    "334477389966469761398077334165591149350",
                    "122352443654176500083353699236039591472",
                    "250981068461575274356779195297559511271",
                    "281751052981474494822703816909619510386",
                    "36803488730217229464133726300207345166"
                ]
            },
            "id": "CVE-2024-36895-ffdadec9",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7a54e5052bde582fd0e7677334fe7a5be92e242c"
        }
    ]
}

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.6.31

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.8.10