漏洞标题
USB:dwc3:设备检查事件计数是否超过事件缓冲区长度
漏洞描述信息
## 概述
在Linux内核中,已修复了一个与USB驱动程序dwc3中的事件计数器相关的漏洞。该漏洞可能导致内核空间的越界访问,从而引起系统崩溃。
## 影响版本
未具体说明受影响的版本,但涉及Linux内核中包含dwc3 USB驱动程序的版本。
## 细节
获取事件计数器的值是从`DWC3_GEVNTCOUNT`寄存器中读取的,代码检查了计数是否为零,但没有检查计数值是否超过了事件缓冲区长度的限制。这会导致在调用`memcpy`函数复制事件时发生越界访问。具体来说,当内核尝试将超过缓冲区长度的数据复制到缓冲区时,会发生非法内存访问,进而导致系统崩溃。
## 影响
当计数值超过事件缓冲区长度时,内核将访问非法地址,导致系统崩溃,并在崩溃日志中记录相关信息:
```
Unable to handle kernel paging request at virtual address ffffffc0129be000
pc : __memcpy+0x114/0x180
lr : dwc3_check_event_buf+0xec/0x348
x3 : 0000000000000030 x2 : 000000000000dfc4
x1 : ffffffc0129be000 x0 : ffffff87aad60080
Call trace:
__memcpy+0x114/0x180
dwc3_interrupt+0x24/0x34
```
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞类别
内存缓冲区边界内操作的限制不恰当
漏洞标题
usb: dwc3: gadget: check that event count does not exceed event buffer length
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: check that event count does not exceed event buffer length
The event count is read from register DWC3_GEVNTCOUNT.
There is a check for the count being zero, but not for exceeding the
event buffer length.
Check that event count does not exceed event buffer length,
avoiding an out-of-bounds access when memcpy'ing the event.
Crash log:
Unable to handle kernel paging request at virtual address ffffffc0129be000
pc : __memcpy+0x114/0x180
lr : dwc3_check_event_buf+0xec/0x348
x3 : 0000000000000030 x2 : 000000000000dfc4
x1 : ffffffc0129be000 x0 : ffffff87aad60080
Call trace:
__memcpy+0x114/0x180
dwc3_interrupt+0x24/0x34
CVSS信息
N/A
漏洞类别
N/A