Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers. pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be reset and each completion will add another fragment via skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), subsequent frag stores overwrite memory adjacent to the shinfo on the heap. Drop the skb and account a length error when the frag limit is reached, matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path").
Product status
b91cd1440870f7a0649e570498b7b93caf9f781c (git) before 9ceff1251904901b0b4e5fe6350fcaffa368ce83
b91cd1440870f7a0649e570498b7b93caf9f781c (git) before c9315ce9da3632c591666a29de82d3e92d46bec1
b91cd1440870f7a0649e570498b7b93caf9f781c (git) before 4e476c25bfcab0535ba7c76a903ae77ca8747711
b91cd1440870f7a0649e570498b7b93caf9f781c (git) before bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7
b91cd1440870f7a0649e570498b7b93caf9f781c (git) before 66f7471c4042e4eb300e30b5b9d87d1406862673
b91cd1440870f7a0649e570498b7b93caf9f781c (git) before c088d5dd2fffb4de1fb8e7f57751c8b82942180a
2.6.32
Any version before 2.6.32
6.6.136 (semver)
6.12.83 (semver)
6.18.24 (semver)
6.19.14 (semver)
7.0.1 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/9ceff1251904901b0b4e5fe6350fcaffa368ce83
git.kernel.org/...c/c9315ce9da3632c591666a29de82d3e92d46bec1
git.kernel.org/...c/4e476c25bfcab0535ba7c76a903ae77ca8747711
git.kernel.org/...c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7
git.kernel.org/...c/66f7471c4042e4eb300e30b5b9d87d1406862673
git.kernel.org/...c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a