CVE-2022-48836 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
Input: aiptek - properly check endpoint type
Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint.
Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints
Fail log:
usb 5-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/27/2024
The vulnerability CVE-2022-48836 affects the Linux kernel's USB input driver for aiptek tablet devices, specifically within the input/tablet/aiptek.c module. This issue represents a critical endpoint validation flaw that can lead to system instability and potential security implications. The problem manifests when the kernel attempts to submit USB requests to devices with incorrectly configured endpoint types, causing kernel warnings and potentially exploitable conditions. The vulnerability is classified under CWE-119 as a buffer overflow condition and aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution in kernel space. The flaw occurs during device initialization when the aiptek_open function attempts to establish communication with the tablet device.
The technical root cause involves improper validation of USB endpoint types during device enumeration and connection. The original code implemented a check using desc.bNumEndpoints to verify endpoint count but failed to validate the actual endpoint types associated with those descriptors. This oversight allowed USB devices with mismatched endpoint configurations to proceed with USB request submissions, resulting in the specific error message "BOGUS urb xfer, pipe 1 != type 3" where the pipe type (1) does not match the expected endpoint type (3). The kernel's usb_submit_urb function detects this inconsistency and generates a warning, indicating that the USB request is attempting to use an endpoint with incompatible characteristics. This validation gap represents a classic input validation weakness where insufficient boundary checking allows malformed USB device configurations to bypass security measures.
The operational impact of this vulnerability extends beyond simple system warnings to potentially enable privilege escalation or denial of service conditions. When the kernel encounters a device with incorrectly configured endpoints, it may attempt to submit USB requests using inappropriate transfer types, leading to kernel memory corruption or system crashes. The warning indicates that the kernel worker thread attempting to process USB events encounters an invalid state, which could be exploited by malicious actors to gain unauthorized access to kernel memory or disrupt system operations. Attackers could potentially craft USB devices with malformed endpoint descriptors to trigger this condition, leading to system instability or privilege escalation. The vulnerability affects systems running Linux kernel versions where the aiptek driver is present and USB input device handling is active.
The fix implemented addresses this vulnerability by replacing the insufficient endpoint count validation with the more robust usb_find_common_endpoints() helper function. This approach ensures that the kernel properly identifies and validates all common endpoint types associated with the USB device, rather than simply counting endpoints without considering their characteristics. The new validation mechanism performs comprehensive endpoint type checking and prevents submission of USB requests to endpoints with mismatched transfer types. This remediation aligns with security best practices for USB device handling and follows established kernel coding standards for USB subsystem validation. The solution provides a more comprehensive check that covers all endpoint types and ensures proper endpoint compatibility before allowing USB request submissions, effectively closing the validation gap that led to the original vulnerability. The fix specifically addresses the ATT&CK technique T1068 by preventing unauthorized system access through kernel-level USB device manipulation.