net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
Description
In the Linux kernel, the following vulnerability has been resolved:
net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than the calculated "min" value, but greater than zero, the logic sets tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in cdc_ncm_fill_tx_frame() where all the data is handled.
For small values of dwNtbOutMaxSize the memory allocated during alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to how size is aligned at alloc time: size = SKB_DATA_ALIGN(size); size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); Thus we hit the same bug that we tried to squash with commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")
Low values of dwNtbOutMaxSize do not cause an issue presently because at alloc_skb() time more memory (512b) is allocated than required for the SKB headers alone (320b), leaving some space (512b - 320b = 192b) for CDC data (172b).
However, if more elements (for example 3 x u64 = [24b]) were added to one of the SKB header structs, say 'struct skb_shared_info', increasing its original size (320b [320b aligned]) to something larger (344b [384b aligned]), then suddenly the CDC data (172b) no longer fits in the spare SKB data area (512b - 384b = 128b).
Consequently the SKB bounds checking semantics fails and panics:
skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic net/core/skbuff.c:113 [inline] RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118 [snip] Call Trace:
skb_put+0x151/0x210 net/core/skbuff.c:2047 skb_put_zero include/linux/skbuff.h:2422 [inline] cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline] cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308 cdc_ncm_tx_fixup+0xa3/0x100
Deal with too low values of dwNtbOutMaxSize, clamp it in the range [USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure enough data space is allocated to handle CDC data by making sure dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
94- osv-coords91 versionspkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/kernel-default-base&distro=SUSE%20Manager%20Proxy%20LTS%204.3pkg:rpm/suse/kernel-default-base&distro=SUSE%20Manager%20Server%20LTS%204.3pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP4pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Manager%20Proxy%20LTS%204.3pkg:rpm/suse/kernel-default&distro=SUSE%20Manager%20Server%20LTS%204.3pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/kernel-livepatch-SLE15-SP4_Update_46&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP4pkg:rpm/suse/kernel-livepatch-SLE15-SP5_Update_32&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP5pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Manager%20Proxy%20LTS%204.3pkg:rpm/suse/kernel-source&distro=SUSE%20Manager%20Server%20LTS%204.3pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-syms&distro=SUSE%20Manager%20Proxy%20LTS%204.3pkg:rpm/suse/kernel-syms&distro=SUSE%20Manager%20Server%20LTS%204.3pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Manager%20Server%20LTS%204.3pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_74&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5
< 5.14.21-150400.24.184.1+ 90 more
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1.150400.24.94.2
- (no CPE)range: < 5.14.21-150400.24.184.1.150400.24.94.2
- (no CPE)range: < 5.14.21-150500.55.127.1.150500.6.61.1
- (no CPE)range: < 5.14.21-150500.55.127.1.150500.6.61.1
- (no CPE)range: < 5.14.21-150400.24.184.1.150400.24.94.2
- (no CPE)range: < 5.14.21-150400.24.184.1.150400.24.94.2
- (no CPE)range: < 5.14.21-150500.55.127.1.150500.6.61.1
- (no CPE)range: < 5.14.21-150400.24.184.1.150400.24.94.2
- (no CPE)range: < 5.14.21-150500.55.127.1.150500.6.61.1
- (no CPE)range: < 5.14.21-150400.24.184.1.150400.24.94.2
- (no CPE)range: < 5.14.21-150500.55.127.1.150500.6.61.1
- (no CPE)range: < 5.14.21-150400.24.184.1.150400.24.94.2
- (no CPE)range: < 5.14.21-150400.24.184.1.150400.24.94.2
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 1-150400.9.5.1
- (no CPE)range: < 1-150500.11.3.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.15.136.1
- (no CPE)range: < 5.14.21-150400.15.136.1
- (no CPE)range: < 5.14.21-150500.13.112.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.15.136.1
- (no CPE)range: < 5.14.21-150400.15.136.1
- (no CPE)range: < 5.14.21-150500.13.112.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 5.14.21-150500.55.127.1
- (no CPE)range: < 5.14.21-150400.24.184.1
- (no CPE)range: < 1-8.5.1
Patches
Vulnerability mechanics
References
8- git.kernel.org/stable/c/2334ff0b343ba6ba7a6c0586fcc83992bbbc1776mitre
- git.kernel.org/stable/c/42b78c8cc774b47023d6d16d96d54cc7015e4a07mitre
- git.kernel.org/stable/c/6147745d43ff4e0d2c542e5b93e398ef0ee4db00mitre
- git.kernel.org/stable/c/72d0240b0ee4794efc683975c213e4b384fea733mitre
- git.kernel.org/stable/c/7e01c7f7046efc2c7c192c3619db43292b98e997mitre
- git.kernel.org/stable/c/9be921854e983a81a0aeeae5febcd87093086e46mitre
- git.kernel.org/stable/c/bf415bfe7573596ac213b4fd1da9e62cfc9a9413mitre
- git.kernel.org/stable/c/ff484163dfb61b58f23e4dbd007de1094427669cmitre
News mentions
0No linked articles in our index yet.