In rndissetresponse of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "fixes": [ "https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e", "https://android.googlesource.com/kernel/common/+/28bc0267399f4" ], "types": [ "EoP" ], "vanir_signatures": [ { "signature_type": "Function", "signature_version": "v1", "source": "https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e", "digest": { "length": 1113.0, "function_hash": "324509543485242453198264164088682879174" }, "deprecated": false, "target": { "function": "rndis_set_response", "file": "drivers/usb/gadget/function/rndis.c" }, "id": "ASB-A-239842288-03ac93ad" }, { "signature_type": "Line", "signature_version": "v1", "source": "https://android.googlesource.com/kernel/common/+/28bc0267399f4", "digest": { "line_hashes": [ "74610532842214861125328212539619698848", "219320814454438370276643923899985203310", "235029350871556551678875653730524412287", "220013837063397485624450100683511902294" ], "threshold": 0.9 }, "deprecated": false, "target": { "file": "drivers/usb/gadget/function/rndis.c" }, "id": "ASB-A-239842288-1570ac21" }, { "signature_type": "Function", "signature_version": "v1", "source": "https://android.googlesource.com/kernel/common/+/28bc0267399f4", "digest": { "length": 1113.0, "function_hash": "324509543485242453198264164088682879174" }, "deprecated": false, "target": { "function": "rndis_set_response", "file": "drivers/usb/gadget/function/rndis.c" }, "id": "ASB-A-239842288-91ac53f0" }, { "signature_type": "Line", "signature_version": "v1", "source": "https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e", "digest": { "line_hashes": [ "74610532842214861125328212539619698848", "219320814454438370276643923899985203310", "235029350871556551678875653730524412287", "220013837063397485624450100683511902294" ], "threshold": 0.9 }, "deprecated": false, "target": { "file": "drivers/usb/gadget/function/rndis.c" }, "id": "ASB-A-239842288-e44fcac5" } ], "spl": "2022-10-05", "severity": "High" }