In composite_setup of composite.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege when connecting a malicious USB device with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 8670.0, "function_hash": "15411130885992590080241792335577292221" }, "id": "ASB-A-222023189-450738e9", "source": "https://android.googlesource.com/kernel/common/+/c7732dbce590e", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/gadget/composite.c", "truncated_path_level": 1.0, "function": "composite_setup" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "8228047372824403445809389804182550337", "215290394054290689799362561037584581376", "50834800687003401478418564196561689514", "157624948906676408928048125434499571554" ] }, "id": "ASB-A-222023189-abae828f", "source": "https://android.googlesource.com/kernel/common/+/c7732dbce590e", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/gadget/composite.c", "truncated_path_level": 1.0 }, "signature_type": "Line" }, { "digest": { "length": 8670.0, "function_hash": "15411130885992590080241792335577292221" }, "id": "ASB-A-222023189-be9112ba", "source": "https://android.googlesource.com/kernel/common/+/22ec100472854", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/gadget/composite.c", "truncated_path_level": 1.0, "function": "composite_setup" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "8228047372824403445809389804182550337", "215290394054290689799362561037584581376", "50834800687003401478418564196561689514", "157624948906676408928048125434499571554" ] }, "id": "ASB-A-222023189-f59ba70b", "source": "https://android.googlesource.com/kernel/common/+/22ec100472854", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/gadget/composite.c", "truncated_path_level": 1.0 }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/22ec100472854", "https://android.googlesource.com/kernel/common/+/c7732dbce590e" ], "spl": "2022-06-05", "severity": "High", "types": [ "EoP" ] }