CVE-2022-48805

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup<br /> <br /> ax88179_rx_fixup() contains several out-of-bounds accesses that can be<br /> triggered by a malicious (or defective) USB device, in particular:<br /> <br /> - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds,<br /> causing OOB reads and (on big-endian systems) OOB endianness flips.<br /> - A packet can overlap the metadata array, causing a later OOB<br /> endianness flip to corrupt data used by a cloned SKB that has already<br /> been handed off into the network stack.<br /> - A packet SKB can be constructed whose tail is far beyond its end,<br /> causing out-of-bounds heap data to be considered part of the SKB&amp;#39;s<br /> data.<br /> <br /> I have tested that this can be used by a malicious USB device to send a<br /> bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response<br /> that contains random kernel heap data.<br /> It&amp;#39;s probably also possible to get OOB writes from this on a<br /> little-endian system somehow - maybe by triggering skb_cow() via IP<br /> options processing -, but I haven&amp;#39;t tested that.