ASB-A-216825460

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-216825460.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-216825460
Aliases
  • A-216825460
  • CVE-2022-20227
Published
2022-07-01T00:00:00Z
Modified
2024-08-07T19:29:24.068524Z
Summary
RNDIS USB Gadget used by Android to provide USB tethering functionality may be exploited to dump kernel memory contents.
Details

In USB driver, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / :linux_kernel:

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
:0
Fixed
:2022-07-05

Affected versions

Other

Kernel

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 3917.0,
                "function_hash": "51759867175630936810844205975104072139"
            },
            "id": "ASB-A-216825460-0c041093",
            "source": "https://android.googlesource.com/kernel/common/+/7193ad3e50e59",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/usb/gadget/legacy/inode.c",
                "truncated_path_level": 1.0,
                "function": "gadgetfs_setup"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "220786696602669738420112968039916400508",
                    "58419054149626582732950653854970518386",
                    "58319612690254011723664119190774671516"
                ]
            },
            "id": "ASB-A-216825460-1e337065",
            "source": "https://android.googlesource.com/kernel/common/+/7193ad3e50e59",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/usb/gadget/legacy/dbgp.c",
                "truncated_path_level": 1.0
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "332656553028460648197238486507283164994",
                    "184822845197430248537449464647837682435",
                    "24535556639354158768388367629306163538"
                ]
            },
            "id": "ASB-A-216825460-2435716f",
            "source": "https://android.googlesource.com/kernel/common/+/7193ad3e50e59",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/usb/gadget/composite.c",
                "truncated_path_level": 1.0
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1417.0,
                "function_hash": "211557554950156766019146613511635348846"
            },
            "id": "ASB-A-216825460-332e6bf0",
            "source": "https://android.googlesource.com/kernel/common/+/7193ad3e50e59",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/usb/gadget/legacy/dbgp.c",
                "truncated_path_level": 1.0,
                "function": "dbgp_setup"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "282852417431766263490676553128712597531",
                    "110705312730213592619630503319076438808",
                    "94219566278308689484813984906675955552",
                    "36491830421415711599610514669873140861",
                    "30790627971595482618317624871770110268",
                    "288531739672159843520527013539581497894",
                    "39603869017474101200293526634541239352",
                    "45180091331208902342353969121843865020",
                    "143434519509247879588825429509241155734"
                ]
            },
            "id": "ASB-A-216825460-3492eeb3",
            "source": "https://android.googlesource.com/kernel/common/+/fb4ff0f96de37",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/usb/gadget/function/rndis.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 8448.0,
                "function_hash": "5478919993484057482267054353714439302"
            },
            "id": "ASB-A-216825460-444ae947",
            "source": "https://android.googlesource.com/kernel/common/+/7193ad3e50e59",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/usb/gadget/composite.c",
                "truncated_path_level": 1.0,
                "function": "composite_setup"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "294771366740492330844059928101261168882",
                    "329472988511519008266114862851615948738",
                    "230055354007917815238754878125146233726",
                    "241615109029172640209368064780730838459",
                    "64969316027898508467714672781279523538",
                    "30332420178214091468338430140846186405",
                    "255997175657941735343107809281305721211",
                    "128343364494571164832515145964696539800",
                    "192991251693947936407784405714326144362",
                    "63161658648569397665050629489358928343"
                ]
            },
            "id": "ASB-A-216825460-47e64c35",
            "source": "https://android.googlesource.com/kernel/common/+/7193ad3e50e59",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/usb/gadget/legacy/inode.c",
                "truncated_path_level": 1.0
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1018.0,
                "function_hash": "221946459094492974610708965816765957224"
            },
            "id": "ASB-A-216825460-cce2960c",
            "source": "https://android.googlesource.com/kernel/common/+/fb4ff0f96de37",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/usb/gadget/function/rndis.c",
                "function": "rndis_set_response"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/kernel/common/+/7193ad3e50e59",
        "https://android.googlesource.com/kernel/common/+/fb4ff0f96de37"
    ],
    "spl": "2022-07-05",
    "severity": "High",
    "types": [
        "ID"
    ]
}