In the Linux kernel, the following vulnerability has been resolved:
usb: typec: fix potential out of bounds in ucsiccgupdatesetnewcamcmd()
The "*cmd" variable can be controlled by the user via debugfs. That means "newcam" can be as high as 255 while the size of the uc->updated[] array is UCSIMAX_ALTMODES (30).
The call tree is: ucsicmd() // val comes from simpleattrwritexsigned() -> ucsisendcommand() -> ucsisendcommandcommon() -> ucsiruncommand() // calls ucsi->ops->synccontrol() -> ucsiccgsync_control()
[
{
"id": "CVE-2024-50268-0ca7888b",
"signature_type": "Function",
"digest": {
"length": 940.0,
"function_hash": "116264216018087833682069384774698832533"
},
"signature_version": "v1",
"target": {
"function": "ucsi_ccg_update_set_new_cam_cmd",
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@604314ecd682913925980dc955caea2d036eab5f",
"deprecated": false
},
{
"id": "CVE-2024-50268-1d8b9ffd",
"signature_type": "Line",
"digest": {
"line_hashes": [
"103500278543648343711814351094785708517",
"243452696701204873562703404328037438211",
"239133322559784470704685750494899845614",
"225122923935846238388999914273565104591"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f47984b35f3be0cfc652c2ca358d5768ea3456b",
"deprecated": false
},
{
"id": "CVE-2024-50268-20c69421",
"signature_type": "Line",
"digest": {
"line_hashes": [
"103500278543648343711814351094785708517",
"243452696701204873562703404328037438211",
"239133322559784470704685750494899845614",
"225122923935846238388999914273565104591"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7dd08a0b4193087976db6b3ee7807de7e8316f96",
"deprecated": false
},
{
"id": "CVE-2024-50268-28b63706",
"signature_type": "Function",
"digest": {
"length": 940.0,
"function_hash": "116264216018087833682069384774698832533"
},
"signature_version": "v1",
"target": {
"function": "ucsi_ccg_update_set_new_cam_cmd",
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a2ba841659a0f15102585120dea75d8d5209616",
"deprecated": false
},
{
"id": "CVE-2024-50268-661600e4",
"signature_type": "Function",
"digest": {
"length": 940.0,
"function_hash": "116264216018087833682069384774698832533"
},
"signature_version": "v1",
"target": {
"function": "ucsi_ccg_update_set_new_cam_cmd",
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7dd08a0b4193087976db6b3ee7807de7e8316f96",
"deprecated": false
},
{
"id": "CVE-2024-50268-66732f94",
"signature_type": "Line",
"digest": {
"line_hashes": [
"103500278543648343711814351094785708517",
"243452696701204873562703404328037438211",
"239133322559784470704685750494899845614",
"225122923935846238388999914273565104591"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a2ba841659a0f15102585120dea75d8d5209616",
"deprecated": false
},
{
"id": "CVE-2024-50268-683e4953",
"signature_type": "Function",
"digest": {
"length": 940.0,
"function_hash": "116264216018087833682069384774698832533"
},
"signature_version": "v1",
"target": {
"function": "ucsi_ccg_update_set_new_cam_cmd",
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d76923164705821aa1b01b8d9d1741f20c654ab4",
"deprecated": false
},
{
"id": "CVE-2024-50268-6d0a5023",
"signature_type": "Line",
"digest": {
"line_hashes": [
"103500278543648343711814351094785708517",
"243452696701204873562703404328037438211",
"239133322559784470704685750494899845614",
"225122923935846238388999914273565104591"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d76923164705821aa1b01b8d9d1741f20c654ab4",
"deprecated": false
},
{
"id": "CVE-2024-50268-df99411e",
"signature_type": "Function",
"digest": {
"length": 940.0,
"function_hash": "116264216018087833682069384774698832533"
},
"signature_version": "v1",
"target": {
"function": "ucsi_ccg_update_set_new_cam_cmd",
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@69e19774f15e12dda6c6c58001d059e30895009b",
"deprecated": false
},
{
"id": "CVE-2024-50268-e0ec4759",
"signature_type": "Line",
"digest": {
"line_hashes": [
"103500278543648343711814351094785708517",
"243452696701204873562703404328037438211",
"239133322559784470704685750494899845614",
"225122923935846238388999914273565104591"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@604314ecd682913925980dc955caea2d036eab5f",
"deprecated": false
},
{
"id": "CVE-2024-50268-eac99168",
"signature_type": "Function",
"digest": {
"length": 940.0,
"function_hash": "116264216018087833682069384774698832533"
},
"signature_version": "v1",
"target": {
"function": "ucsi_ccg_update_set_new_cam_cmd",
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f47984b35f3be0cfc652c2ca358d5768ea3456b",
"deprecated": false
},
{
"id": "CVE-2024-50268-eee0afa4",
"signature_type": "Line",
"digest": {
"line_hashes": [
"103500278543648343711814351094785708517",
"243452696701204873562703404328037438211",
"239133322559784470704685750494899845614",
"225122923935846238388999914273565104591"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/ucsi/ucsi_ccg.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@69e19774f15e12dda6c6c58001d059e30895009b",
"deprecated": false
}
]