CVE-2023-53761

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: usbtmc: Fix direction for 0-length ioctl control messages<br /> <br /> The syzbot fuzzer found a problem in the usbtmc driver: When a user<br /> submits an ioctl for a 0-length control transfer, the driver does not<br /> check that the direction is set to OUT:<br /> <br /> ------------[ cut here ]------------<br /> usb 3-1: BOGUS control dir, pipe 80000b80 doesn&amp;#39;t match bRequestType fd<br /> WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411<br /> Modules linked in:<br /> CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023<br /> RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411<br /> Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41<br /> RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000<br /> RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001<br /> RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528<br /> R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100<br /> FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58<br /> usb_internal_control_msg drivers/usb/core/message.c:102 [inline]<br /> usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153<br /> usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]<br /> usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097<br /> <br /> To fix this, we must override the direction in the bRequestType field<br /> of the control request structure when the length is 0.