skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
December 9, 2022

GHSL-2022-130: Out-of-bounds (OOB) read in openrazer - CVE-2022-23467

Kevin Stubbings

Coordinated Disclosure Timeline

Summary

A malicious device can send a USB report to the openrazer razermouse driver, resulting in an out-of-bounds (OOB) read.

Product

openrazer

Tested Version

v3.5.0

Details

Issue: Out of bounds read in razer_attr_read_dpi_stages (GHSL-2022-130)

An attacker can read kernel addresses through a specially crafted device.
razer_send_payload calls usb_control_msg with HID_REQ_GET_REPORT in order to receive a USB report from the device. This device-controlled input is then used in a for loop to output DPI information to the daemon.
Choosing a value for response.data_size greater than 0x50 and a response.arguments[2] greater than 12 allows a user to leak the kernel address of dev_attr_show.

    response = razer_send_payload(device->usb_dev, &report);

    stages_count = response.arguments[2];

    buf[0] = response.arguments[1];

    count = 1;
    args = response.arguments + 4;
    for (i = 0; i < stages_count; i++) {
        // Check that we don't read past response.data_size
        if (args + 4 > response.arguments + response.data_size) {
            break;
        }

        memcpy(buf + count, args, 4);
        count += 4;
        args += 7;
    }

Impact

This vulnerability may allow an attacker to leak stack addresses, which may defeat KASLR protections.

POC

After plugging in a malicious device with the specified values, find your device under /sys/bus/hid/devices. Reading from the dpi_stages attribute will leak the kernel address because the current user is part of the plugdev group.

CVE

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-130 in any communication regarding this issue.