CVE-2021-46906

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to the calculation of report length in the hid submit ctrl() function, which does not account for the possibility of a zero-sized report. When a report of size 0 is processed, hid submit ctrl() calculates transfer buffer length as 16384, leading to an information leak of 16384 bytes when passed to the USB core layer. This is reported by KMSAN when running the syzkaller reproducer. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

To fix this, hid report len() needs to be modified to account for the zero report size case using DIV ROUND UP for the division, and then called from hid submit ctrl(). The hid submit ctrl() function is vulnerable due to its incorrect calculation of the report length, specifically when report->size is zero. The transfer buffer length variable is calculated incorrectly, leading to the information leak.

Recommendations To resolve the issue, modify hid report len() to account for the zero report size case by using DIV ROUND UP for the division. Then, call hid report len() from hid submit ctrl(). As a temporary workaround, consider restricting the use of the hid submit ctrl() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.