CVE-2022-49051

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: aqc111: Fix out-of-bounds accesses in RX fixup<br /> <br /> aqc111_rx_fixup() contains several out-of-bounds accesses that can be<br /> triggered by a malicious (or defective) USB device, in particular:<br /> <br /> - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,<br /> causing OOB reads and (on big-endian systems) OOB endianness flips.<br /> - A packet can overlap the metadata array, causing a later OOB<br /> endianness flip to corrupt data used by a cloned SKB that has already<br /> been handed off into the network stack.<br /> - A packet SKB can be constructed whose tail is far beyond its end,<br /> causing out-of-bounds heap data to be considered part of the SKB&amp;#39;s<br /> data.<br /> <br /> Found doing variant analysis. Tested it with another driver (ax88179_178a), since<br /> I don&amp;#39;t have a aqc111 device to test it, but the code looks very similar.