CVE-2023-52886

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix race by not overwriting udev->descriptor in hubportinit()

Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors():

BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011

CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xd9/0x150 lib/dumpstack.c:106 printaddressdescription.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 printreport mm/kasan/report.c:462 [inline] kasanreport+0x11c/0x130 mm/kasan/report.c:572 readdescriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Allocated by task 758: ... _dokmallocnode mm/slabcommon.c:966 [inline] _kmalloc+0x5e/0x190 mm/slabcommon.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] usbgetconfiguration+0x1f7/0x5170 drivers/usb/core/config.c:887 usbenumeratedevice drivers/usb/core/hub.c:2407 [inline] usbnew_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545

As analyzed by Khazhy Kumykov, the cause of this bug is a race between readdescriptors() and hubport_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it.

Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race.

The best way to fix the bug is to keep hubportinit() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago.

So now hubportinit() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hubportinit() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read.

The changes to hubportinit() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot.