CVE-2022-30283

Name of the Vulnerable Software and Affected Versions UsbCoreDxe versions prior to Kernel 5.0: Version 05.09.21 UsbCoreDxe versions prior to Kernel 5.1: Version 05.17.21 UsbCoreDxe versions prior to Kernel 5.2: Version 05.27.21 UsbCoreDxe versions prior to Kernel 5.3: Version 05.36.21 UsbCoreDxe versions prior to Kernel 5.4: Version 05.44.21 UsbCoreDxe versions prior to Kernel 5.5: Version 05.52.21

Description The issue arises from tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process, leading to a Time-of-Check-to-Time-of-Use (TOCTOU) problem. This could be exploited by an attacker to cause System Management RAM (SMRAM) corruption and escalation of privileges. The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM, and the code that uses this buffer can be inside of System Management Mode (SMM), making the working buffer untrusted input. The buffer can be corrupted by Direct Memory Access (DMA) transfers. Although the SMM code attempts to sanitize pointers to ensure all pointers refer to the working buffer, when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior.

Recommendations For versions prior to Kernel 5.0: Version 05.09.21, update to Kernel 5.0: Version 05.09.21 or later. For versions prior to Kernel 5.1: Version 05.17.21, update to Kernel 5.1: Version 05.17.21 or later. For versions prior to Kernel 5.2: Version 05.27.21, update to Kernel 5.2: Version 05.27.21 or later. For versions prior to Kernel 5.3: Version 05.36.21, update to Kernel 5.3: Version 05.36.21 or later. For versions prior to Kernel 5.4: Version 05.44.21, update to Kernel 5.4: Version 05.44.21 or later. For versions prior to Kernel 5.5: Version 05.52.21, update to Kernel 5.5: Version 05.52.21 or later.