CVE-2022-49551
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49551
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49551.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49551
- Downstream
- Related
- Published
- 2025-02-26T02:14:01Z
- Modified
- 2025-10-13T18:06:06.573172Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- usb: isp1760: Fix out-of-bounds array access
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
usb: isp1760: Fix out-of-bounds array access
Running the driver through kasan gives an interesting splat:
BUG: KASAN: global-out-of-bounds in isp1760register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1 (...) isp1760register from isp1760platprobe+0x1d8/0x220 (...)
This happens because the loop reading the regmap fields for the different ISP1760 variants look like this:
for (i = 0; i < HCFIELDMAX; i++) { ... }
Meaning it expects the arrays to be at least HCFIELDMAX - 1 long.
However the arrays isp1760hcregfields[], isp1763hcregfields[], isp1763hcvolatileranges[] and isp1763dcvolatileranges[] are dynamically sized during compilation.
Fix this by putting an empty assignment to the [HCFIELDMAX] and [DCFIELDMAX] array member at the end of each array. This will make the array one member longer than it needs to be, but avoids the risk of overwriting whatever is inside [HCFIELDMAX - 1] and is simple and intuitive to read. Also add comments explaining what is going on.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/26ae2c942b5702f2e43d36b2a4389cfb7d616b6a
- https://git.kernel.org/stable/c/463bddd3ff1acf4036ddb80c34a715eb99debf46
- https://git.kernel.org/stable/c/47d39cb57e8669e507d17d9e0d067d2b3e3a87ae
- https://git.kernel.org/stable/c/bf2558bbdce3ab1d6bcba09f354914e4515d0a2b
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1da9e1c06873350c99ba49a052f92de85f2c69f2Fixedbf2558bbdce3ab1d6bcba09f354914e4515d0a2b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1da9e1c06873350c99ba49a052f92de85f2c69f2Fixed47d39cb57e8669e507d17d9e0d067d2b3e3a87ae
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1da9e1c06873350c99ba49a052f92de85f2c69f2Fixed463bddd3ff1acf4036ddb80c34a715eb99debf46
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1da9e1c06873350c99ba49a052f92de85f2c69f2Fixed26ae2c942b5702f2e43d36b2a4389cfb7d616b6a
Affected versions
v5.*
v5.13
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.13
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.2
Database specific
{
"vanir_signatures": [
{
"signature_type": "Line",
"target": {
"file": "drivers/usb/isp1760/isp1760-core.c"
},
"id": "CVE-2022-49551-0d71e4d6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"255735176414825416473623747472640879826",
"184440605500813194508563708911013317414",
"304401964947811544346590546875482271992",
"79060638761703230406995065011063252860",
"336891754829634562248098147260694523730",
"316009955397626912751739126242738645566",
"244126093069692888676299127120766022584",
"165007604765271968592738681647853738570",
"87816989412266569662381167602093196263",
"150470355187384237860423185994855797921",
"49462636665472294404702011825204606397",
"312324537227312191583582178374186919815",
"326348292616932237541769421236650290016",
"215234347249280852549793653837887819846",
"273380850073729882166219049939212787174",
"4176958621120789921175213908142384996"
]
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@463bddd3ff1acf4036ddb80c34a715eb99debf46",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "drivers/usb/isp1760/isp1760-core.c"
},
"id": "CVE-2022-49551-2c654362",
"digest": {
"threshold": 0.9,
"line_hashes": [
"255735176414825416473623747472640879826",
"184440605500813194508563708911013317414",
"304401964947811544346590546875482271992",
"79060638761703230406995065011063252860",
"336891754829634562248098147260694523730",
"316009955397626912751739126242738645566",
"244126093069692888676299127120766022584",
"165007604765271968592738681647853738570",
"87816989412266569662381167602093196263",
"150470355187384237860423185994855797921",
"49462636665472294404702011825204606397",
"312324537227312191583582178374186919815",
"326348292616932237541769421236650290016",
"215234347249280852549793653837887819846",
"273380850073729882166219049939212787174",
"4176958621120789921175213908142384996"
]
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@26ae2c942b5702f2e43d36b2a4389cfb7d616b6a",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "drivers/usb/isp1760/isp1760-core.c"
},
"id": "CVE-2022-49551-61c4ec46",
"digest": {
"threshold": 0.9,
"line_hashes": [
"255735176414825416473623747472640879826",
"184440605500813194508563708911013317414",
"304401964947811544346590546875482271992",
"79060638761703230406995065011063252860",
"336891754829634562248098147260694523730",
"316009955397626912751739126242738645566",
"244126093069692888676299127120766022584",
"165007604765271968592738681647853738570",
"87816989412266569662381167602093196263",
"150470355187384237860423185994855797921",
"49462636665472294404702011825204606397",
"312324537227312191583582178374186919815",
"326348292616932237541769421236650290016",
"215234347249280852549793653837887819846",
"273380850073729882166219049939212787174",
"4176958621120789921175213908142384996"
]
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf2558bbdce3ab1d6bcba09f354914e4515d0a2b",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "drivers/usb/isp1760/isp1760-core.c"
},
"id": "CVE-2022-49551-e45a690b",
"digest": {
"threshold": 0.9,
"line_hashes": [
"255735176414825416473623747472640879826",
"184440605500813194508563708911013317414",
"304401964947811544346590546875482271992",
"79060638761703230406995065011063252860",
"336891754829634562248098147260694523730",
"316009955397626912751739126242738645566",
"244126093069692888676299127120766022584",
"165007604765271968592738681647853738570",
"87816989412266569662381167602093196263",
"150470355187384237860423185994855797921",
"49462636665472294404702011825204606397",
"312324537227312191583582178374186919815",
"326348292616932237541769421236650290016",
"215234347249280852549793653837887819846",
"273380850073729882166219049939212787174",
"4176958621120789921175213908142384996"
]
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@47d39cb57e8669e507d17d9e0d067d2b3e3a87ae",
"signature_version": "v1"
}
]
}