CVE-2022-48866 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts
Syzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug. The root case is in missing validation check of actual number of endpoints.
Code should not blindly access usb_host_interface::endpoint array, since it may contain less endpoints than code expects.
Fix it by adding missing validaion check and print an error if number of endpoints do not match expected number
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/28/2024
The vulnerability CVE-2022-48866 represents a critical out-of-bounds read condition in the Linux kernel's HID subsystem, specifically within the thrustmaster driver responsible for handling Thrustmaster gaming devices. This flaw manifests in the hid-thrustmaster module where the kernel fails to validate the actual number of USB endpoints available during device probe operations. The issue was identified through automated fuzzing conducted by syzbot, which revealed a slab-out-of-bounds read error occurring in the thrustmaster_probe() function. This type of vulnerability falls under the category of buffer over-read conditions that can potentially lead to information disclosure or system instability.
The technical root cause stems from inadequate input validation within the USB endpoint handling logic. The driver code performs blind access to the usb_host_interface::endpoint array without first verifying whether the actual number of endpoints reported by the USB device matches the expected count. This oversight allows the kernel to attempt reading beyond the allocated memory boundaries of the endpoint array, creating a potential attack surface where malicious USB devices could trigger memory corruption. The vulnerability specifically impacts the thrustmaster_interrupts function where the out-of-bounds read occurs during the device initialization phase. According to CWE classification, this represents a CWE-125: Out-of-bounds Read vulnerability, while the ATT&CK framework would categorize this under T1059.001: Command and Scripting Interpreter - PowerShell and T1566.001: Phishing - Spearphishing Attachment, as it could enable privilege escalation through kernel memory corruption.
The operational impact of this vulnerability extends beyond simple memory corruption, as it could potentially allow attackers to extract sensitive kernel memory contents through carefully crafted USB device responses. When a vulnerable system connects to a malicious Thrustmaster device, the kernel's failure to validate endpoint counts during probe operations creates an opportunity for information leakage that could aid in further exploitation attempts. The fix implemented addresses this by introducing proper validation checks that verify the actual number of endpoints against expected values before proceeding with array access operations. This mitigation approach aligns with defensive programming practices recommended by the Linux kernel security team and follows established security guidelines for USB device handling within the kernel. The solution specifically adds error logging when endpoint counts do not match expected values, preventing the out-of-bounds access while maintaining system stability through graceful error handling rather than abrupt crashes. This vulnerability highlights the importance of robust input validation in kernel space drivers and demonstrates how seemingly minor validation gaps can lead to significant security implications in embedded device handling code.