In rndissetresponse of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1113.0, "function_hash": "324509543485242453198264164088682879174" }, "id": "ASB-A-239842288-03ac93ad", "source": "https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/gadget/function/rndis.c", "function": "rndis_set_response" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "74610532842214861125328212539619698848", "219320814454438370276643923899985203310", "235029350871556551678875653730524412287", "220013837063397485624450100683511902294" ] }, "id": "ASB-A-239842288-1570ac21", "source": "https://android.googlesource.com/kernel/common/+/28bc0267399f4", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/gadget/function/rndis.c" }, "signature_type": "Line" }, { "digest": { "length": 1113.0, "function_hash": "324509543485242453198264164088682879174" }, "id": "ASB-A-239842288-91ac53f0", "source": "https://android.googlesource.com/kernel/common/+/28bc0267399f4", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/gadget/function/rndis.c", "function": "rndis_set_response" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "74610532842214861125328212539619698848", "219320814454438370276643923899985203310", "235029350871556551678875653730524412287", "220013837063397485624450100683511902294" ] }, "id": "ASB-A-239842288-e44fcac5", "source": "https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/gadget/function/rndis.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e", "https://android.googlesource.com/kernel/common/+/28bc0267399f4" ], "spl": "2022-10-05", "severity": "High", "types": [ "EoP" ] }