{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36895", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-30T15:25:07.066Z", "datePublished": "2024-05-30T15:29:00.265Z", "dateUpdated": "2024-11-05T09:27:39.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:27:39.411Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: use correct buffer size when parsing configfs lists\n\nThis commit fixes uvc gadget support on 32-bit platforms.\n\nCommit 0df28607c5cb (\"usb: gadget: uvc: Generalise helper functions for\nreuse\") introduced a helper function __uvcg_iter_item_entries() to aid\nwith parsing lists of items on configfs attributes stores. This function\nis a generalization of another very similar function, which used a\nstack-allocated temporary buffer of fixed size for each item in the list\nand used the sizeof() operator to check for potential buffer overruns.\nThe new function was changed to allocate the now variably sized temp\nbuffer on heap, but wasn't properly updated to also check for max buffer\nsize using the computed size instead of sizeof() operator.\n\nAs a result, the maximum item size was 7 (plus null terminator) on\n64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just\nbarely enough, 3 is definitely too small for some of UVC configfs\nattributes. For example, dwFrameInteval, specified in 100ns units,\nusually has 6-digit item values, e.g. 166666 for 60fps."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/uvc_configfs.c"], "versions": [{"version": "0df28607c5cb", "lessThan": "7a54e5052bde", "status": "affected", "versionType": "git"}, {"version": "0df28607c5cb", "lessThan": "a422089ce42c", "status": "affected", "versionType": "git"}, {"version": "0df28607c5cb", "lessThan": "650ae71c8074", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/uvc_configfs.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.31", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.10", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c"}, {"url": "https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528"}, {"url": "https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410"}], "title": "usb: gadget: uvc: use correct buffer size when parsing configfs lists", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T17:55:25.494467Z", "id": "CVE-2024-36895", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:55:31.171Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:49.849Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:49.849Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-06T17:55:25.494467Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:55:27.663Z"}}], "cna": {"title": "usb: gadget: uvc: use correct buffer size when parsing configfs lists", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "0df28607c5cb", "lessThan": "7a54e5052bde", "versionType": "git"}, {"status": "affected", "version": "0df28607c5cb", "lessThan": "a422089ce42c", "versionType": "git"}, {"status": "affected", "version": "0df28607c5cb", "lessThan": "650ae71c8074", "versionType": "git"}], "programFiles": ["drivers/usb/gadget/function/uvc_configfs.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.3"}, {"status": "unaffected", "version": "0", "lessThan": "6.3", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.31", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.10", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/usb/gadget/function/uvc_configfs.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c"}, {"url": "https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528"}, {"url": "https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: use correct buffer size when parsing configfs lists\n\nThis commit fixes uvc gadget support on 32-bit platforms.\n\nCommit 0df28607c5cb (\"usb: gadget: uvc: Generalise helper functions for\nreuse\") introduced a helper function __uvcg_iter_item_entries() to aid\nwith parsing lists of items on configfs attributes stores. This function\nis a generalization of another very similar function, which used a\nstack-allocated temporary buffer of fixed size for each item in the list\nand used the sizeof() operator to check for potential buffer overruns.\nThe new function was changed to allocate the now variably sized temp\nbuffer on heap, but wasn't properly updated to also check for max buffer\nsize using the computed size instead of sizeof() operator.\n\nAs a result, the maximum item size was 7 (plus null terminator) on\n64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just\nbarely enough, 3 is definitely too small for some of UVC configfs\nattributes. For example, dwFrameInteval, specified in 100ns units,\nusually has 6-digit item values, e.g. 166666 for 60fps."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:27:39.411Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36895", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:27:39.411Z", "dateReserved": "2024-05-30T15:25:07.066Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-30T15:29:00.265Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: use correct buffer size when parsing configfs lists\n\nThis commit fixes uvc gadget support on 32-bit platforms.\n\nCommit 0df28607c5cb (\"usb: gadget: uvc: Generalise helper functions for\nreuse\") introduced a helper function __uvcg_iter_item_entries() to aid\nwith parsing lists of items on configfs attributes stores. This function\nis a generalization of another very similar function, which used a\nstack-allocated temporary buffer of fixed size for each item in the list\nand used the sizeof() operator to check for potential buffer overruns.\nThe new function was changed to allocate the now variably sized temp\nbuffer on heap, but wasn't properly updated to also check for max buffer\nsize using the computed size instead of sizeof() operator.\n\nAs a result, the maximum item size was 7 (plus null terminator) on\n64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just\nbarely enough, 3 is definitely too small for some of UVC configfs\nattributes. For example, dwFrameInteval, specified in 100ns units,\nusually has 6-digit item values, e.g. 166666 for 60fps."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: usb: gadget: uvc: use el tama\u00f1o de b\u00fafer correcto al analizar listas de configfs. Este commit corrige la compatibilidad con gadgets uvc en plataformas de 32 bits. El commit 0df28607c5cb (\"usb: gadget: uvc: Generalizar funciones auxiliares para su reutilizaci\u00f3n\") introdujo una funci\u00f3n auxiliar __uvcg_iter_item_entries() para ayudar con el an\u00e1lisis de listas de elementos en las tiendas de atributos de configfs. Esta funci\u00f3n es una generalizaci\u00f3n de otra funci\u00f3n muy similar, que utilizaba un b\u00fafer temporal de tama\u00f1o fijo asignado por la pila para cada elemento de la lista y utilizaba el operador sizeof() para comprobar posibles desbordamientos del b\u00fafer. La nueva funci\u00f3n se cambi\u00f3 para asignar el b\u00fafer temporal ahora de tama\u00f1o variable en el mont\u00f3n, pero no se actualiz\u00f3 correctamente para verificar tambi\u00e9n el tama\u00f1o m\u00e1ximo del b\u00fafer usando el tama\u00f1o calculado en lugar del operador sizeof(). Como resultado, el tama\u00f1o m\u00e1ximo de elemento fue 7 (m\u00e1s terminador nulo) en plataformas de 64 bits y 3 en plataformas de 32 bits. Si bien 7 accidentalmente es apenas suficiente, 3 es definitivamente demasiado peque\u00f1o para algunos de los atributos de configuraci\u00f3n de UVC. Por ejemplo, dwFrameInteval, especificado en unidades de 100 ns, normalmente tiene valores de elementos de 6 d\u00edgitos, por ejemplo, 166666 para 60 fps."}], "id": "CVE-2024-36895", "lastModified": "2024-05-30T18:18:58.870", "metrics": {}, "published": "2024-05-30T16:15:12.937", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/650ae71c80749fc7cb8858c8049f532eaec64410"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7a54e5052bde582fd0e7677334fe7a5be92e242c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a422089ce42ced73713e5032aad29a9a7cbe9528"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: usb: gadget: uvc: use correct buffer size when parsing configfs lists", "id": "2284558", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2284558"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: gadget: uvc: use correct buffer size when parsing configfs lists\nThis commit fixes uvc gadget support on 32-bit platforms.\nCommit 0df28607c5cb (\"usb: gadget: uvc: Generalise helper functions for\nreuse\") introduced a helper function __uvcg_iter_item_entries() to aid\nwith parsing lists of items on configfs attributes stores. This function\nis a generalization of another very similar function, which used a\nstack-allocated temporary buffer of fixed size for each item in the list\nand used the sizeof() operator to check for potential buffer overruns.\nThe new function was changed to allocate the now variably sized temp\nbuffer on heap, but wasn't properly updated to also check for max buffer\nsize using the computed size instead of sizeof() operator.\nAs a result, the maximum item size was 7 (plus null terminator) on\n64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just\nbarely enough, 3 is definitely too small for some of UVC configfs\nattributes. For example, dwFrameInteval, specified in 100ns units,\nusually has 6-digit item values, e.g. 166666 for 60fps."], "name": "CVE-2024-36895", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36895\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36895\nhttps://lore.kernel.org/linux-cve-announce/2024053034-CVE-2024-36895-c67c@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 6.6.31, kernel 6.8.10, kernel 6.9"}