Coordinated Disclosure Timeline
- 2022-11-28: Sent out report to Luca Weiss
- 2022-12-01: Initial acknowledgment
- 2022-12-04: Advisory published to repo and patch committed
- 2022-12-05: CVE-2022-23467 assigned
Summary
A malicious device can send a USB report to the openrazer razermouse driver, resulting in an out-of-bounds (OOB) read.
Product
openrazer
Tested Version
Details
Issue: Out of bounds read in razer_attr_read_dpi_stages (GHSL-2022-130)
An attacker can read kernel addresses through a specially crafted device.
razer_send_payload calls usb_control_msg with HID_REQ_GET_REPORT in order to receive a USB report from the device.
This device-controlled input is then used in a for loop to output DPI information to the daemon.
Choosing a value for response.data_size greater than 0x50 and a response.arguments[2] greater than 12 allows a user to leak the kernel address of dev_attr_show.
response = razer_send_payload(device->usb_dev, &report);
stages_count = response.arguments[2];
buf[0] = response.arguments[1];
count = 1;
args = response.arguments + 4;
for (i = 0; i < stages_count; i++) {
// Check that we don't read past response.data_size
if (args + 4 > response.arguments + response.data_size) {
break;
}
memcpy(buf + count, args, 4);
count += 4;
args += 7;
}
Impact
This vulnerability may allow an attacker to leak stack addresses, which may defeat KASLR protections.
POC
After plugging in a malicious device with the specified values, find your device under /sys/bus/hid/devices.
Reading from the dpi_stages attribute will leak the kernel address because the current user is part of the plugdev group.
CVE
- CVE-2022-23467
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-130 in any communication regarding this issue.