CVE-2022-3577 An out-of-bounds memory write flaw was found in the Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system.

This flaw was discovered by Ying Xue from Tencent. This flaw was fixed in the Kid-friendly Wired Controller driver in version v4.14-rc4.

Announced on January 28, 2019, this flaw allows a local user to crash or potentially escalate their privileges on the system. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write.
In the kernel many different kinds of input devices exist. For example, keyboards, mice, touchscreens, gamepads, digital cameras, microphones, and more. But lots of other devices exist, too. For example, network interfaces, storage devices, digital cameras, and more. Anything that has a device interface and can be plugged in to the computer can be an input device. As such, input devices can be placed on a list of devices that the Linux kernel will check for any input activity. A remote attacker could use an input device to issue out-of-bounds memory access to an arbitrary location of the kernel. This could lead to remote code execution.

CVE-2021-3576

This flaw was discovered by Ying Xue from Tencent. This flaw was fixed in the Kid-friendly Wired Controller driver in version v4.14-rc2.
Announced on January 27, 2019, this flaw allows code execution and privilege escalation. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. But malicious devices can break this assumption, leaking to out-of-bound write.
In the kernel many different kinds of input devices exist. For example, keyboards, mice, touchscreens, gamepads, digital cameras, microphones, and more. But lots of other devices exist, too. For example, network interfaces, storage devices, digital cameras, and more. Anything that has a device interface and can be plugged in to the computer can be an input device. As such, input devices can be placed on a list of devices that the Linux kernel will check for any input activity. A remote attacker could use an input device to issue out-of-bounds memory access to an arbitrary location of the kernel. This could lead to remote code execution.

CVE-2021-3559

On January 29, 2019, Ying Xue from Tencent reported a bug. This flaw was fixed in the Accessibility driver in version v4.14-rc3.
Announced on January 29, 2019, this flaw allows a local user to access files outside of their permissions by sending an I/O request with an invalid path parameter. It is in drivers/char/agp/via-agp.c and drivers/video/fbdev/via_fbdev_video.c of the Linux kernel. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write.
In the kernel many different kinds of input devices exist. For example, keyboards, mice, touchscreens, gamepads, digital cameras, microphones, and more. But lots of other devices exist too - for example network interfaces and storage devices - anything that has a device interface and can be plugged in to the computer can be an input device. As such input devices can be placed on a list of devices that the Linux kernel will check for any input activity. A remote attacker could use an input device to issue out-of-bounds memory access to an arbitrary location of the kernel which could lead to remote code execution

Vulnerability details

The vulnerability is triggered by a remote attacker with the privilege of the GPU device. The attacker needs to trick the victim into loading a malicious USB controller driver, which would usually be unnecessary to do given that drivers are signed and verified to verify their integrity. It should also be noted that this vulnerability has been fixed in 4.14-rc4, so it is no longer exploitable.

References: https://blog.tencent.com/2019/01/28/hidden-flaw-in-Linux-kernel-leaves-system-open-to-attacks

Vulnerable code execution

The vulnerability does not provide a concrete exploitation scenario, but it is possible for a remote attacker to crash the system or escalate their privileges on the system.
The bug was found by Ying Xue from Tencent.

Timeline

Published on: 10/20/2022 17:15:00 UTC
Last modified on: 10/24/2022 13:18:00 UTC

References

• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=945a9a8e448b65bec055d37eba58f711b39f66f0
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc4ef9d5724973193bfa5ebed181dba6de3a56db
• https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/commit/?h=char-misc-next&id=9d64d2405f7d30d49818f6682acd0392348f0fdb
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3577