漏洞标题
没有内容
漏洞描述信息
在 Linux 内核中,已解决以下漏洞:
xhci:正确处理 isoc Babble 和缓冲区溢出事件
尽管 xHCI 4.9 明确禁止假设 xHC 在报告早期 TRB 中的错误时已释放多 TRB TD 的所有权,但驱动程序仍做出此类假设并释放了 TD,从而允许剩余 TRB 被新 TD 释放或覆盖。
xHC 应该报告由于我们设置的 IOC 标志而完成的最后一个 TRB,无论之前是否存在错误。如果先前已经释放了 TD,则无法识别此事件,从而导致“Transfer event TRB DMA ptr 不属于当前 TD”错误消息。
通过重用处理 isoc 事务错误的逻辑来修复此问题。这也处理那些未能报告最终完成情况的主机。
修复 Babble 错误时的传输长度报告。这些错误可能是由设备故障引起的,不能保证缓冲区已被填充。
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
漏洞类别
跨界内存写
漏洞标题
xhci: handle isoc Babble and Buffer Overrun events properly
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
xhci: handle isoc Babble and Buffer Overrun events properly
xHCI 4.9 explicitly forbids assuming that the xHC has released its
ownership of a multi-TRB TD when it reports an error on one of the
early TRBs. Yet the driver makes such assumption and releases the TD,
allowing the remaining TRBs to be freed or overwritten by new TDs.
The xHC should also report completion of the final TRB due to its IOC
flag being set by us, regardless of prior errors. This event cannot
be recognized if the TD has already been freed earlier, resulting in
"Transfer event TRB DMA ptr not part of current TD" error message.
Fix this by reusing the logic for processing isoc Transaction Errors.
This also handles hosts which fail to report the final completion.
Fix transfer length reporting on Babble errors. They may be caused by
device malfunction, no guarantee that the buffer has been filled.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于存在缓冲区溢出漏洞。
CVSS信息
N/A
漏洞类别
其他