CVE-2023-52477: usb: hub: Guard against accesses to uninitialized BOS descriptors
In the Linux kernel, the following vulnerability has been resolved:
usb: hub: Guard against accesses to uninitialized BOS descriptors
Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usbgetbosdescriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash:
BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS GoogleKindred.12672.413.0 02/03/2021 Workqueue: usbhubwq hubevent RIP: 0010:hubportreset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace: hubevent+0x73f/0x156e ? hubactivate+0x5b7/0x68f processonework+0x1a2/0x487 workerthread+0x11a/0x288 kthread+0x13a/0x152 ? processonework+0x487/0x487 ? kthreadassociateblkcg+0x70/0x70 retfromfork+0x1f/0x30
Fall back to a default behavior if the BOS descriptor isn't accessible and skip all the functionalities that depend on it: LPM support checks, Super Speed capabilitiy checks, U1/U2 states setup.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
usb: hub: Guard against accesses to uninitialized BOS descriptors
The Linux kernel CVE team has assigned CVE-2023-52477 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024022921-CVE-2023-52477-6f20@gregkh/T/#u
— Red Hat
Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when usbgetbosdescriptor() fails. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2023-52477?
CVE-2023-52477 is classified as a high-severity vulnerability that affects the Linux kernel.
How do I fix CVE-2023-52477?
To fix CVE-2023-52477, you should update your Linux kernel to a version that is 4.14.328 or later, 4.19.297 or later, 5.4.259 or later, 5.10.199 or later, 5.15.136 or later, 6.1.59 or later, 6.5.8 or later, or 6.6 or later.
What kind of issues does CVE-2023-52477 cause?
CVE-2023-52477 can lead to potential memory corruption due to uninitialized BOS descriptors being accessed in USB hub drivers.
Which Linux kernel versions are affected by CVE-2023-52477?
CVE-2023-52477 affects Linux kernel versions prior to 4.14.328, between 4.15 and 4.19.297, between 4.20 and 5.4.259, between 5.5 and 5.10.199, between 5.11 and 5.15.136, between 5.16 and 6.1.59, between 6.2 and 6.5.8, and specific release candidates of 6.6.
Is CVE-2023-52477 a remote exploit?
CVE-2023-52477 can potentially be exploited remotely, especially against vulnerable USB devices connected to the affected Linux systems.