In xhcivendorget_ops of xhci.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "296006135374153502650136789747179702256", "217159512600921346983341948625994838417", "160429453232037323526628748569608099908", "193600732335296680043124891759648905246" ] }, "id": "ASB-A-194461020-3200f983", "source": "https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci-plat.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "65428680134164326322057546870296949292", "303072306054238883595727577573025816055", "42220646100694777520453847116425822962", "216533713427359301844167992195965822814", "25528724874335813220711041707630977473", "311336264386479869260568484405144833710", "81063368215418693213834082312190684106", "310546719597199516598815494422007457600", "310559344884385429607470262976318504137", "68419760345811645183698697123721005670", "53073571646637977252105000344701892913", "318754442047635110851922473336600156465", "212087509126505534103086525065600928125", "236368536978864450422384657808192069627" ] }, "id": "ASB-A-194461020-5a444965", "source": "https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci-plat.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "210885545745472116702241275745999693296", "283252374392363481500010020423446567932", "331460533588962771893617228252886273781", "233532721724632329357361701797015958329", "192091473560401473509916039596264421613", "161288891347695359775749957266605571333", "306893186768999960432735404132730239828", "243756039758233042387197629917671581081" ] }, "id": "ASB-A-194461020-7cd0fc52", "source": "https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci.c" }, "signature_type": "Line" }, { "digest": { "length": 80.0, "function_hash": "182743551188546463145931240395122396814" }, "id": "ASB-A-194461020-b8505d5f", "source": "https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci.c", "function": "xhci_vendor_get_ops" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "187221316143190153406769378538013512897", "20531172323687606511459870440641556444", "1803244950909914522965904337999221500" ] }, "id": "ASB-A-194461020-bd7699bc", "source": "https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497", "deprecated": true, "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci.h" }, "signature_type": "Line" }, { "digest": { "length": 210.0, "function_hash": "147159070459491619183761293798301087003" }, "id": "ASB-A-194461020-d221f6b4", "source": "https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci-plat.c", "function": "xhci_vendor_cleanup" }, "signature_type": "Function" }, { "digest": { "length": 310.0, "function_hash": "241179395579510555574072957083271476109" }, "id": "ASB-A-194461020-dc933947", "source": "https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci-plat.c", "function": "xhci_vendor_init" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497" ], "spl": "2021-11-05", "severity": "High", "types": [ "EoP" ] }