Bug 1199566 (CVE-2022-20009) - VUL-0: CVE-2022-20009: kernel-source-azure,kernel-source,kernel-source-rt: possible out of bounds write due to a missing bounds check in the USB gadget subsystem
Summary: VUL-0: CVE-2022-20009: kernel-source-azure,kernel-source,kernel-source-rt: po...
Status: RESOLVED WORKSFORME
Alias: CVE-2022-20009
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/331303/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-16 09:02 UTC by Robert Frohl
Modified: 2022-05-16 11:17 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-05-16 09:02:11 UTC 
CVE-2022-20009

In various functions of the USB gadget subsystem, there is a possible out of
bounds write due to a missing bounds check. This could lead to local escalation
of privilege with no additional execution privileges needed. User interaction is
not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-213172319References: Upstream kernel

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20009
https://source.android.com/security/bulletin/2022-05-01
Comment 2 Robert Frohl 2022-05-16 09:25:21 UTC 
seems to be part of cve/linux-5.3 and SLE15-SP4 already (38ea1eac7d88072bbffb630e2b3db83ca649b826), needed in cve/linux-4.4 and cve/linux-4.12

The above also seems to need 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa to fix a integer overflow, not sure if that has a CVE assigned.
Comment 3 Takashi Iwai 2022-05-16 10:01:19 UTC 
(In reply to Robert Frohl from comment #2)
> seems to be part of cve/linux-5.3 and SLE15-SP4 already
> (38ea1eac7d88072bbffb630e2b3db83ca649b826),

It implies that this is a dup of CVE-2022-25375 (bsc#1196235).

> needed in cve/linux-4.4 and
> cve/linux-4.12

We didn't enable CONFIG_USB_GADGET on those old releases, so they are unaffected.

> The above also seems to need 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa to fix
> a integer overflow, not sure if that has a CVE assigned.

It's a different issue :)

Reassigned back to security team.
Comment 4 Robert Frohl 2022-05-16 11:17:12 UTC 
nothing to do