Zhuowei Zhang on Nostr: Here's what the Extigy bNumConfigurations issue (CVE-2024-53197) looks like on a ...
Here's what the Extigy bNumConfigurations issue (CVE-2024-53197) looks like on a kernel with KASAN:
https://gist.github.com/zhuowei/faf8581bf4b7d5576ae0d78be3524008
It crashes in `usb_destroy_configuration`, probably on `kfree(dev->rawdescriptors[i])`.
https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/usb/core/config.c;l=846;drc=28d96b7a925309a6a8024620d83a113f75a02b0d
The rawdescriptor array's length depends on the bNumConfigurations originally sent; the minimum is 1 element (8 bytes) and the max is 8 elements (8*8=64 bytes).
https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/usb/core/config.c;l=899;drc=28d96b7a925309a6a8024620d83a113f75a02b0d
I'm guessing you'd need to manipulate the kernel heap such that rawdescriptors is followed by an array containing addresses you want to free?
https://gist.github.com/zhuowei/faf8581bf4b7d5576ae0d78be3524008
It crashes in `usb_destroy_configuration`, probably on `kfree(dev->rawdescriptors[i])`.
https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/usb/core/config.c;l=846;drc=28d96b7a925309a6a8024620d83a113f75a02b0d
The rawdescriptor array's length depends on the bNumConfigurations originally sent; the minimum is 1 element (8 bytes) and the max is 8 elements (8*8=64 bytes).
https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/usb/core/config.c;l=899;drc=28d96b7a925309a6a8024620d83a113f75a02b0d
I'm guessing you'd need to manipulate the kernel heap such that rawdescriptors is followed by an array containing addresses you want to free?