CVE-2023-52528

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52528
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52528.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52528
Related
Published
2024-03-02T22:15:48Z
Modified
2024-09-11T05:02:07.212281Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: usb: smsc75xx: Fix uninit-value access in _smsc75xxread_reg

syzbot reported the following uninit-value access issue:

===================================================== BUG: KMSAN: uninit-value in smsc75xxwaitready drivers/net/usb/smsc75xx.c:975 [inline] BUG: KMSAN: uninit-value in smsc75xxbind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usbhubwq hubevent Call Trace: _dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x21c/0x280 lib/dumpstack.c:118 kmsanreport+0xf7/0x1e0 mm/kmsan/kmsanreport.c:121 _msanwarning+0x58/0xa0 mm/kmsan/kmsaninstr.c:215 smsc75xxwaitready drivers/net/usb/smsc75xx.c:975 [inline] smsc75xxbind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 usbnetprobe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737 usbprobeinterface+0xece/0x1550 drivers/usb/core/driver.c:374 reallyprobe+0xf20/0x20b0 drivers/base/dd.c:529 driverprobedevice+0x293/0x390 drivers/base/dd.c:701 _deviceattachdriver+0x63f/0x830 drivers/base/dd.c:807 busforeachdrv+0x2ca/0x3f0 drivers/base/bus.c:431 _deviceattach+0x4e2/0x7f0 drivers/base/dd.c:873 deviceinitialprobe+0x4a/0x60 drivers/base/dd.c:920 busprobedevice+0x177/0x3d0 drivers/base/bus.c:491 deviceadd+0x3b0e/0x40d0 drivers/base/core.c:2680 usbsetconfiguration+0x380f/0x3f10 drivers/usb/core/message.c:2032 usbgenericdriverprobe+0x138/0x300 drivers/usb/core/generic.c:241 usbprobedevice+0x311/0x490 drivers/usb/core/driver.c:272 reallyprobe+0xf20/0x20b0 drivers/base/dd.c:529 driverprobedevice+0x293/0x390 drivers/base/dd.c:701 _deviceattachdriver+0x63f/0x830 drivers/base/dd.c:807 busforeachdrv+0x2ca/0x3f0 drivers/base/bus.c:431 _deviceattach+0x4e2/0x7f0 drivers/base/dd.c:873 deviceinitialprobe+0x4a/0x60 drivers/base/dd.c:920 busprobedevice+0x177/0x3d0 drivers/base/bus.c:491 deviceadd+0x3b0e/0x40d0 drivers/base/core.c:2680 usbnewdevice+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554 hubportconnect drivers/usb/core/hub.c:5208 [inline] hubportconnectchange drivers/usb/core/hub.c:5348 [inline] portevent drivers/usb/core/hub.c:5494 [inline] hubevent+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576 processonework+0x1688/0x2140 kernel/workqueue.c:2269 workerthread+0x10bc/0x2730 kernel/workqueue.c:2415 kthread+0x551/0x590 kernel/kthread.c:292 retfromfork+0x1f/0x30 arch/x86/entry/entry64.S:293

Local variable ----buf.i87@smsc75xxbind created at: _smsc75xxreadreg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xxwaitready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xxbind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 _smsc75xxreadreg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xxwaitready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482

This issue is caused because usbnetreadcmd() reads less bytes than requested (zero byte in the reproducer). In this case, 'buf' is not properly filled.

This patch fixes the issue by returning -ENODATA if usbnetreadcmd() reads less bytes than requested.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.205-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.64-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.8-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}