CVE-2023-52886 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()
Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors():
BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011
CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline]
kasan_report+0x11c/0x130 mm/kasan/report.c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Allocated by task 758: ... __do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x5e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline]
kzalloc include/linux/slab.h:680 [inline]
usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]
usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545
As analyzed by Khazhy Kumykov, the cause of this bug is a race between read_descriptors() and hub_port_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it.
Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race.
The best way to fix the bug is to keep hub_port_init() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago.
So now hub_port_init() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hub_port_init() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read.
The changes to hub_port_init() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/21/2024
The vulnerability described in CVE-2023-52886 represents a critical race condition within the Linux USB subsystem that can lead to out-of-bounds memory access and potential system instability. This issue manifests in the USB core driver where concurrent access patterns between the sysfs descriptor reading functionality and the hub port initialization process create a scenario where memory corruption can occur. The vulnerability was identified through kernel address sanitizer (KASAN) reports indicating a slab-out-of-bounds read in the read_descriptors function within drivers/usb/core/sysfs.c at line 883. The root cause stems from the removal of exclusive device locking that previously prevented concurrent access between these two critical functions, specifically read_descriptors and hub_port_init.
The technical flaw occurs when the read_descriptors function attempts to access udev->descriptor while hub_port_init is simultaneously overwriting this same memory location. This race condition arises because the USB subsystem previously maintained mutual exclusion through device locking mechanisms that were removed in commit 45bf39f8df7f to improve performance, but inadvertently exposed this data race. The issue is particularly dangerous because it operates on kernel memory structures that are expected to remain immutable once initialized, violating fundamental assumptions about USB device descriptor consistency. This type of race condition falls under CWE-362, which specifically addresses concurrent execution issues where multiple threads or processes access shared resources without proper synchronization mechanisms.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation and system instability. When the out-of-bounds read occurs, it can cause kernel panics, data corruption, or more insidiously, allow attackers to manipulate kernel memory structures that could be exploited for privilege escalation. The vulnerability affects systems running Linux kernel versions where the problematic commit was introduced, making it particularly concerning for server and embedded systems that rely heavily on USB connectivity. The attack surface is significant as any system with USB devices connected and active could potentially trigger this race condition through normal USB enumeration processes or udev events.
The mitigation strategy implemented in this fix involves a fundamental architectural change to how device descriptors are managed during USB enumeration. The solution modifies hub_port_init to accept an additional parameter specifying a buffer for storing device descriptors, rather than directly overwriting udev->descriptor when udev has already been initialized. This approach ensures that once a USB device is registered with udev, its descriptor remains immutable, preventing the race condition that led to the out-of-bounds read. This fix aligns with ATT&CK technique T1068 by preventing privilege escalation through kernel memory corruption, and it addresses the broader category of privilege escalation via kernel exploits. The solution is designed to maintain backward compatibility while ensuring that the USB subsystem enforces proper memory management principles, particularly around the immutability of device descriptors once they are registered with the udev subsystem. The implementation follows security best practices by ensuring that once a device is initialized, its core metadata cannot be modified concurrently, thereby preventing the type of data races that could lead to system compromise.