1197245 – (CVE-2022-27223) VUL-0: CVE-2022-27223: kernel: In drivers/usb/gadget/udc/udc-xilinx.c the endpoint index is not validated

Bug 1197245 (CVE-2022-27223) - VUL-0: CVE-2022-27223: kernel: In drivers/usb/gadget/udc/udc-xilinx.c the endpoint index is not validated

Summary: VUL-0: CVE-2022-27223: kernel: In drivers/usb/gadget/udc/udc-xilinx.c the end...

Status:	RESOLVED FIXED

Alias:	CVE-2022-27223

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/326379/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-27223:5.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-03-17 15:58 UTC by Alexander Bergmann
Modified:	2024-06-25 16:42 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2022-03-17 15:58:21 UTC

rh#2064626

In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.

https://github.com/torvalds/linux/commit/7f14c7227f342d9932f9b918893c8814f86d2a0d
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.12

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2064626
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27223
https://github.com/torvalds/linux/commit/7f14c7227f342d9932f9b918893c8814f86d2a0d
http://www.cvedetails.com/cve/CVE-2022-27223/
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.12

Comment 1 Takashi Iwai 2022-03-17 16:15:48 UTC

It's a gadget driver, and only enabled for openSUSE; i.e. affected only on Leap 15.x and TW.

And the fix is already included in both SLE15-SP3 and SLE15-SP4 branches, and stable got it via 5.16.12 update.

I updated the patch reference in SLE15-SP3 and SLE15-SP4 branches.

Reassigned back to security team.

Comment 3 Gianluca Gabrielli 2022-03-21 10:29:42 UTC

done.

Comment 8 Swamp Workflow Management 2022-04-12 16:26:06 UTC

SUSE-SU-2022:1163-1: An update that solves 25 vulnerabilities and has 33 fixes is now available.

Category: security (important)
Bug References: 1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194589,1194625,1194649,1194943,1195051,1195353,1195640,1195926,1196018,1196130,1196196,1196478,1196488,1196761,1196823,1196956,1197227,1197243,1197245,1197300,1197302,1197331,1197343,1197366,1197389,1197460,1197462,1197501,1197534,1197661,1197675,1197677,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1198027,1198028,1198029,1198030,1198031,1198032,1198033,1198077
CVE References: CVE-2021-39698,CVE-2021-45402,CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-27223,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.53.1, kernel-source-azure-5.3.18-150300.38.53.1, kernel-syms-azure-5.3.18-150300.38.53.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.53.1, kernel-source-azure-5.3.18-150300.38.53.1, kernel-syms-azure-5.3.18-150300.38.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.