CVE-2023-52886

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6

Description A race condition exists between the read descriptors() and hub port init() functions in the Linux kernel's USB core. The read descriptors() function uses a field in udev->descriptor without expecting it to change, while the hub port init() function overwrites this field. This race condition was exposed after the removal of device locking from read descriptors(). The issue can be resolved by modifying hub port init() to take an additional argument specifying a buffer to store the device descriptor, thus eliminating the data race responsible for the out-of-bounds read.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the race condition between read descriptors() and hub port init(). Specifically, ensure that the hub port init() function has been modified to take an additional argument for storing the device descriptor, thus preventing the overwriting of udev->descriptor and eliminating the data race.