The attachment could not be scanned for viruses because it is a password protected file.
ZDI-CAN-22042: Linux Kernel USB Core Out-Of-Bounds Read Local Privilege Escalation Vulnerability
-- CVSS -----------------------------------------
7.1: AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
-- ABSTRACT -------------------------------------
Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Linux - Kernel
-- VULNERABILITY DETAILS ------------------------
* Version tested:6.5-rc7
* Installer file:-
* Platform tested:debian bullseye
---
### Analysis
```
usb_destroy_configuration() didn't consider/validate the updated USB descriptor it leads to out-of-bounds access in usb_destroy_configuration() it would call kfree() on a pointer that is read from out-of-bounds it would be triggered physically the build config is from syzbot's ci-qemu-upstream ```
~~~C++
int usb_get_configuration(struct usb_device *dev) {
struct device *ddev = &dev->dev;
int ncfg = dev->descriptor.bNumConfigurations;
unsigned int cfgno, length;
unsigned char *bigbuffer;
struct usb_config_descriptor *desc;
int result;
if (ncfg > USB_MAXCONFIG) {
dev_notice(ddev, "too many configurations: %d, "
"using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
}
if (ncfg < 1) {
dev_err(ddev, "no configurations\n");
return -EINVAL;
}
length = ncfg * sizeof(struct usb_host_config);
dev->config = kzalloc(length, GFP_KERNEL);
if (!dev->config)
return -ENOMEM;
length = ncfg * sizeof(char *);
dev->rawdescriptors = kzalloc(length, GFP_KERNEL); // (1) at the beginning, length is 8, ncfg is 1
...
}
static int sd_config(struct gspca_dev *gspca_dev,
const struct usb_device_id *id)
{
struct sd *sd = (struct sd *)gspca_dev;
struct cam *cam = &gspca_dev->cam;
u8 *cd = gspca_dev->usb_buf;
int i, j, n;
int widths[MAX_MODES], heights[MAX_MODES];
/* Read the camera descriptor */
se401_read_req(gspca_dev, SE401_REQ_GET_CAMERA_DESCRIPTOR, 1);
if (gspca_dev->usb_err) {
/* Sometimes after being idle for a while the se401 won't
respond and needs a good kicking */
usb_reset_device(gspca_dev->dev); // (2) if usb_reset_device() is called, the dev->descriptor will be updated from USB
gspca_dev->usb_err = 0;
se401_read_req(gspca_dev, SE401_REQ_GET_CAMERA_DESCRIPTOR, 0);
}
...
}
void usb_destroy_configuration(struct usb_device *dev) {
int c, i;
if (!dev->config)
return;
if (dev->rawdescriptors) {
for (i = 0; i < dev->descriptor.bNumConfigurations; i++) // (3) it didn't validate the updated dev->descriptor or update the dev->rawdescriptors
kfree(dev->rawdescriptors[i]); // (4) OOB read here and leads to arbitrary free
kfree(dev->rawdescriptors);
dev->rawdescriptors = NULL;
}
for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
struct usb_host_config *cf = &dev->config[c];
kfree(cf->string);
for (i = 0; i < cf->desc.bNumInterfaces; i++) {
if (cf->intf_cache[i])
kref_put(&cf->intf_cache[i]->ref,
usb_release_interface_cache);
}
}
kfree(dev->config);
dev->config = NULL;
}
~~~
debug log
```
Breakpoint 8, usb_get_configuration (dev=dev@entry=0xffff888026a75000) at drivers/usb/core/config.c:888
888 if (!dev->rawdescriptors)
(gdb) l
883 if (!dev->config)
884 return -ENOMEM;
885
886 length = ncfg * sizeof(char *);
887 dev->rawdescriptors = kzalloc(length, GFP_KERNEL);
888 if (!dev->rawdescriptors)
889 return -ENOMEM;
890
891 desc = kmalloc(USB_DT_CONFIG_SIZE, GFP_KERNEL);
892 if (!desc)
(gdb) p/x length
$2 = 0x8
(gdb) p/x dev->rawdescriptors
$3 = 0xffff888026b2a9c0
(gdb) bt
#0 usb_get_configuration (dev=dev@entry=0xffff888026a75000) at drivers/usb/core/config.c:888
#1 0xffffffff8639b82f in usb_enumerate_device (udev=0xffff888026a75000) at drivers/usb/core/hub.c:2422
#2 usb_new_device (udev=udev@entry=0xffff888026a75000) at drivers/usb/core/hub.c:2560
#3 0xffffffff863a225f in hub_port_connect (portchange=<optimized out>, portstatus=<optimized out>, port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5422
#4 hub_port_connect_change (portchange=<optimized out>, portstatus=<optimized out>, port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5566
#5 port_event (port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5726
#6 hub_event (work=0xffff888013fe9330) at drivers/usb/core/hub.c:5808
#7 0xffffffff81542e02 in process_one_work (worker=worker@entry=0xffff88801c94e200, work=work@entry=0xffff888013fe9330) at kernel/workqueue.c:2597
#8 0xffffffff815440d7 in worker_thread (__worker=0xffff88801c94e200) at kernel/workqueue.c:2748
#9 0xffffffff8156176a in kthread (_create=<optimized out>) at kernel/kthread.c:389
#10 0xffffffff813054ac in ret_from_fork (prev=<optimized out>, regs=0xffffc900007cff58, fn=0xffffffff81561430 <kthread>, fn_arg=0xffff8880197fc900) at arch/x86/kernel/process.c:145
#11 0xffffffff81004e11 in ret_from_fork_asm () at arch/x86/entry/entry_64.S:296
#12 0x0000000000000000 in ?? ()
(gdb) awatch *0xffff888026a75520
Hardware access (read/write) watchpoint 9: *0xffff888026a75520
(gdb) c
Continuing.
Hardware access (read/write) watchpoint 9: *0xffff888026a75520
Old value = 256
New value = 10237
memcpy_orig () at arch/x86/lib/memcpy_64.S:127
127 RET
(gdb) bt // updating the USB descriptor
#0 memcpy_orig () at arch/x86/lib/memcpy_64.S:127
#1 0xffffffff863be9ed in usb_get_device_descriptor (dev=dev@entry=0xffff888026a75000, size=size@entry=18) at drivers/usb/core/message.c:1074
#2 0xffffffff86394315 in hub_port_init (hub=hub@entry=0xffff888013fe9000, udev=udev@entry=0xffff888026a75000, port1=port1@entry=1, retry_counter=retry_counter@entry=2) at drivers/usb/core/hub.c:5049
#3 0xffffffff863967ed in usb_reset_and_verify_device (udev=udev@entry=0xffff888026a75000) at drivers/usb/core/hub.c:6021
#4 0xffffffff863979c2 in usb_reset_device (udev=0xffff888026a75000) at drivers/usb/core/hub.c:6206
#5 0xffffffff86eefa44 in sd_config (gspca_dev=0xffff888024d04000, id=<optimized out>) at drivers/media/usb/gspca/se401.c:221
#6 0xffffffff86e8ff32 in gspca_dev_probe2 (intf=intf@entry=0xffff888023676000, id=id@entry=0xffffffff8b475f80 <device_table+96>, sd_desc=sd_desc@entry=0xffffffff8b476000 <sd_desc>, dev_size=<optimized out>, dev_size@entry=5232,
module=module@entry=0x0 <fixed_percpu_data>) at drivers/media/usb/gspca/gspca.c:1531
#7 0xffffffff86e910ab in gspca_dev_probe (intf=0xffff888023676000, id=0xffffffff8b475f80 <device_table+96>, sd_desc=0xffffffff8b476000 <sd_desc>, dev_size=5232, module=0x0 <fixed_percpu_data>) at drivers/media/usb/gspca/gspca.c:1610
#8 0xffffffff863c9a77 in usb_probe_interface (dev=0xffff888023676078) at drivers/usb/core/driver.c:396
#9 0xffffffff852b19b4 in call_driver_probe (drv=0xffffffff8de93548 <sd_driver+168>, dev=0xffff888023676078) at drivers/base/dd.c:579
#10 really_probe (dev=dev@entry=0xffff888023676078, drv=drv@entry=0xffffffff8de93548 <sd_driver+168>) at drivers/base/dd.c:658
#11 0xffffffff852b25ee in __driver_probe_device (drv=drv@entry=0xffffffff8de93548 <sd_driver+168>, dev=dev@entry=0xffff888023676078) at drivers/base/dd.c:798
#12 0xffffffff852b290c in driver_probe_device (drv=drv@entry=0xffffffff8de93548 <sd_driver+168>, dev=dev@entry=0xffff888023676078) at drivers/base/dd.c:828
#13 0xffffffff852b2c34 in __device_attach_driver (drv=0xffffffff8de93548 <sd_driver+168>, _data=<optimized out>) at drivers/base/dd.c:956
#14 0xffffffff852abbb7 in bus_for_each_drv (bus=<optimized out>, start=start@entry=0x0 <fixed_percpu_data>, data=data@entry=0xffffc900007cf358, fn=fn@entry=0xffffffff852b2a60 <__device_attach_driver>) at drivers/base/bus.c:457
#15 0xffffffff852b3958 in __device_attach (dev=dev@entry=0xffff888023676078, allow_async=allow_async@entry=true) at drivers/base/dd.c:1028
#16 0xffffffff852b3f2b in device_initial_probe (dev=dev@entry=0xffff888023676078) at drivers/base/dd.c:1077
#17 0xffffffff852ae9bc in bus_probe_device (dev=dev@entry=0xffff888023676078) at drivers/base/bus.c:532
#18 0xffffffff852a6c51 in device_add (dev=dev@entry=0xffff888023676078) at drivers/base/core.c:3625
#19 0xffffffff863c291b in usb_set_configuration (dev=dev@entry=0xffff888026a75000, configuration=<optimized out>, configuration@entry=0) at drivers/usb/core/message.c:2211
#20 0xffffffff863ec06a in usb_generic_driver_probe (udev=0xffff888026a75000) at drivers/usb/core/generic.c:238
#21 0xffffffff863c874a in usb_probe_device (dev=0xffff888026a750a8) at drivers/usb/core/driver.c:293
#22 0xffffffff852b19b4 in call_driver_probe (drv=0xffffffff8dad0d38 <usb_generic_driver+56>, dev=0xffff888026a750a8) at drivers/base/dd.c:579
#23 really_probe (dev=dev@entry=0xffff888026a750a8, drv=drv@entry=0xffffffff8dad0d38 <usb_generic_driver+56>) at drivers/base/dd.c:658
#24 0xffffffff852b25ee in __driver_probe_device (drv=drv@entry=0xffffffff8dad0d38 <usb_generic_driver+56>, dev=dev@entry=0xffff888026a750a8) at drivers/base/dd.c:798
#25 0xffffffff852b290c in driver_probe_device (drv=drv@entry=0xffffffff8dad0d38 <usb_generic_driver+56>, dev=dev@entry=0xffff888026a750a8) at drivers/base/dd.c:828
#26 0xffffffff852b2c34 in __device_attach_driver (drv=0xffffffff8dad0d38 <usb_generic_driver+56>, _data=<optimized out>) at drivers/base/dd.c:956
#27 0xffffffff852abbb7 in bus_for_each_drv (bus=<optimized out>, start=start@entry=0x0 <fixed_percpu_data>, data=data@entry=0xffffc900007cf7d8, fn=fn@entry=0xffffffff852b2a60 <__device_attach_driver>) at drivers/base/bus.c:457
#28 0xffffffff852b3958 in __device_attach (dev=dev@entry=0xffff888026a750a8, allow_async=allow_async@entry=true) at drivers/base/dd.c:1028
#29 0xffffffff852b3f2b in device_initial_probe (dev=dev@entry=0xffff888026a750a8) at drivers/base/dd.c:1077
#30 0xffffffff852ae9bc in bus_probe_device (dev=dev@entry=0xffff888026a750a8) at drivers/base/bus.c:532
#31 0xffffffff852a6c51 in device_add (dev=dev@entry=0xffff888026a750a8) at drivers/base/core.c:3625
#32 0xffffffff8639b48c in usb_new_device (udev=udev@entry=0xffff888026a75000) at drivers/usb/core/hub.c:2590
#33 0xffffffff863a225f in hub_port_connect (portchange=<optimized out>, portstatus=<optimized out>, port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5422
#34 hub_port_connect_change (portchange=<optimized out>, portstatus=<optimized out>, port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5566
#35 port_event (port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5726
#36 hub_event (work=0xffff888013fe9330) at drivers/usb/core/hub.c:5808
#37 0xffffffff81542e02 in process_one_work (worker=worker@entry=0xffff88801c94e200, work=work@entry=0xffff888013fe9330) at kernel/workqueue.c:2597
#38 0xffffffff815440d7 in worker_thread (__worker=0xffff88801c94e200) at kernel/workqueue.c:2748
#39 0xffffffff8156176a in kthread (_create=<optimized out>) at kernel/kthread.c:389
#40 0xffffffff813054ac in ret_from_fork (prev=<optimized out>, regs=0xffffc900007cff58, fn=0xffffffff81561430 <kthread>, fn_arg=0xffff8880197fc900) at arch/x86/kernel/process.c:145
#41 0xffffffff81004e11 in ret_from_fork_asm () at arch/x86/entry/entry_64.S:296
#42 0x0000000000000000 in ?? ()
(gdb) fin
Run till exit from #0 memcpy_orig () at arch/x86/lib/memcpy_64.S:127 usb_get_device_descriptor (dev=dev@entry=0xffff888026a75000, size=size@entry=18) at drivers/usb/core/message.c:1075
1075 kfree(desc);
(gdb) p/x dev->descriptor.bNumConfigurations
$4 = 0x27
(gdb) c
Continuing.
Breakpoint 2, usb_destroy_configuration (dev=dev@entry=0xffff888026a75000) at drivers/usb/core/config.c:826
826 {
(gdb) p/x dev->descriptor.bNumConfigurations
$5 = 0x27
(gdb) bt
#0 usb_destroy_configuration (dev=dev@entry=0xffff888026a75000) at drivers/usb/core/config.c:826
#1 0xffffffff863853b2 in usb_release_dev (dev=0xffff888026a750a8) at drivers/usb/core/usb.c:492
#2 0xffffffff852977b1 in device_release (kobj=0xffff888026a750a8) at drivers/base/core.c:2484
#3 0xffffffff8a1d13d7 in kobject_cleanup (kobj=0xffff888026a750a8) at lib/kobject.c:682
#4 kobject_release (kref=0xffff888026a750e0) at lib/kobject.c:713
#5 kref_put (release=<optimized out>, kref=0xffff888026a750e0) at ./include/linux/kref.h:65
#6 kobject_put (kobj=kobj@entry=0xffff888026a750a8) at lib/kobject.c:730
#7 0xffffffff852980af in put_device (dev=0xffff888026a750a8, dev@entry=0xffffffff8af08580 <device_ktype>) at drivers/base/core.c:3733
#8 0xffffffff86399026 in usb_disconnect (pdev=0x0 <fixed_percpu_data>, pdev@entry=0xffff88801430a000) at drivers/usb/core/hub.c:2296
#9 0xffffffff863a139d in hub_port_connect (portchange=1, portstatus=257, port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5261
#10 hub_port_connect_change (portchange=1, portstatus=257, port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5566
#11 port_event (port1=1, hub=0xffff888013fe9000) at drivers/usb/core/hub.c:5726
#12 hub_event (work=0xffff888013fe9330) at drivers/usb/core/hub.c:5808
#13 0xffffffff81542e02 in process_one_work (worker=worker@entry=0xffff88801c94e200, work=0xffff888013fe9330) at kernel/workqueue.c:2597
#14 0xffffffff815442e6 in process_scheduled_works (worker=<optimized out>) at kernel/workqueue.c:2664
#15 worker_thread (__worker=0xffff88801c94e200) at kernel/workqueue.c:2750
#16 0xffffffff8156176a in kthread (_create=<optimized out>) at kernel/kthread.c:389
#17 0xffffffff813054ac in ret_from_fork (prev=<optimized out>, regs=0xffffc900007cff58, fn=0xffffffff81561430 <kthread>, fn_arg=0xffff8880197fc900) at arch/x86/kernel/process.c:145
#18 0xffffffff81004e11 in ret_from_fork_asm () at arch/x86/entry/entry_64.S:296
#19 0x0000000000000000 in ?? ()
(gdb) c
```
KASAN report
```
==================================================================
BUG: KASAN: slab-out-of-bounds in usb_destroy_configuration+0x6d3/0x750 linux/drivers/usb/core/config.c:834
Read of size 8 at addr ffff888014709f48 by task kworker/0:0/6
CPU: 0 PID: 6 Comm: kworker/0:0 Not tainted 6.5.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack linux/lib/dump_stack.c:88
dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 print_address_description linux/mm/kasan/report.c:364
print_report+0xc4/0x620 linux/mm/kasan/report.c:475
kasan_report+0xda/0x110 linux/mm/kasan/report.c:588
usb_destroy_configuration+0x6d3/0x750 linux/drivers/usb/core/config.c:834
usb_release_dev+0x42/0x110 linux/drivers/usb/core/usb.c:492
device_release+0xa1/0x240 linux/drivers/base/core.c:2484 kobject_cleanup linux/lib/kobject.c:682 kobject_release linux/lib/kobject.c:713 kref_put linux/./include/linux/kref.h:65
kobject_put+0x1f7/0x5b0 linux/lib/kobject.c:730
put_device+0x1f/0x30 linux/drivers/base/core.c:3733 hub_port_connect linux/drivers/usb/core/hub.c:5261 hub_port_connect_change linux/drivers/usb/core/hub.c:5566 port_event linux/drivers/usb/core/hub.c:5726
hub_event+0x21bd/0x5230 linux/drivers/usb/core/hub.c:5808
process_one_work+0xaa2/0x16f0 linux/kernel/workqueue.c:2600 process_scheduled_works linux/kernel/workqueue.c:2667
worker_thread+0x896/0x1110 linux/kernel/workqueue.c:2753
kthread+0x33a/0x430 linux/kernel/kthread.c:389
ret_from_fork+0x2c/0x70 linux/arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 linux/arch/x86/entry/entry_64.S:304
</TASK>
Allocated by task 6:
kasan_save_stack+0x33/0x50 linux/mm/kasan/common.c:45
kasan_set_track+0x25/0x30 linux/mm/kasan/common.c:52 ____kasan_kmalloc linux/mm/kasan/common.c:374
__kasan_kmalloc+0xa3/0xb0 linux/mm/kasan/common.c:383 kasan_kmalloc linux/./include/linux/kasan.h:196 __do_kmalloc_node linux/mm/slab_common.c:985
__kmalloc+0x5d/0x100 linux/mm/slab_common.c:998 kmalloc linux/./include/linux/slab.h:586 kzalloc linux/./include/linux/slab.h:703
usb_get_configuration+0x191/0x5640 linux/drivers/usb/core/config.c:887
usb_enumerate_device linux/drivers/usb/core/hub.c:2422
usb_new_device+0x112f/0x1950 linux/drivers/usb/core/hub.c:2560 hub_port_connect linux/drivers/usb/core/hub.c:5422 hub_port_connect_change linux/drivers/usb/core/hub.c:5566 port_event linux/drivers/usb/core/hub.c:5726
hub_event+0x307f/0x5230 linux/drivers/usb/core/hub.c:5808
process_one_work+0xaa2/0x16f0 linux/kernel/workqueue.c:2600
worker_thread+0x687/0x1110 linux/kernel/workqueue.c:2751
kthread+0x33a/0x430 linux/kernel/kthread.c:389
ret_from_fork+0x2c/0x70 linux/arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 linux/arch/x86/entry/entry_64.S:304
The buggy address belongs to the object at ffff888014709f40 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes to the right of allocated 8-byte region [ffff888014709f40, ffff888014709f48)
The buggy address belongs to the physical page:
page:ffffea000051c240 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888014709fc1 pfn:0x14709
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0x3e()
raw: 00fff00000000200 ffff888012840100 ffffea00007fbd50 ffffea0000650c10
raw: ffff888014709fc1 ffff888014709000 000000010000003e 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, tgid 1 (swapper/0), ts 2179796954, free_ts 0 set_page_owner linux/./include/linux/page_owner.h:31
post_alloc_hook+0x2d2/0x350 linux/mm/page_alloc.c:1570 prep_new_page linux/mm/page_alloc.c:1577
get_page_from_freelist+0x10a9/0x31e0 linux/mm/page_alloc.c:3221
__alloc_pages+0x1d0/0x4a0 linux/mm/page_alloc.c:4477 __alloc_pages_node linux/./include/linux/gfp.h:237 kmem_getpages linux/mm/slab.c:1356
cache_grow_begin+0x99/0x3a0 linux/mm/slab.c:2550
cache_alloc_refill+0x294/0x3a0 linux/mm/slab.c:2923 ____cache_alloc linux/mm/slab.c:2999 ____cache_alloc linux/mm/slab.c:2982 __do_cache_alloc linux/mm/slab.c:3182 slab_alloc_node linux/mm/slab.c:3230
__kmem_cache_alloc_node+0x3c9/0x470 linux/mm/slab.c:3521 __do_kmalloc_node linux/mm/slab_common.c:984
__kmalloc+0x4c/0x100 linux/mm/slab_common.c:998 kmalloc linux/./include/linux/slab.h:586 kzalloc linux/./include/linux/slab.h:703 acpi_os_allocate_zeroed linux/./include/acpi/platform/aclinuxex.h:57
acpi_ns_internalize_name+0x149/0x220 linux/drivers/acpi/acpica/nsutils.c:331
acpi_ns_get_node_unlocked+0x164/0x310 linux/drivers/acpi/acpica/nsutils.c:666
acpi_ns_get_node+0x4c/0x70 linux/drivers/acpi/acpica/nsutils.c:726
acpi_ns_evaluate+0x6eb/0xca0 linux/drivers/acpi/acpica/nseval.c:62
acpi_evaluate_object+0x3eb/0xa70 linux/drivers/acpi/acpica/nsxfeval.c:354
acpi_evaluate_integer+0xde/0x1f0 linux/drivers/acpi/utils.c:260 acpi_init_coherency linux/drivers/acpi/scan.c:1657
acpi_init_device_object+0xb46/0x1930 linux/drivers/acpi/scan.c:1785
acpi_add_single_object+0xeb/0x1b00 linux/drivers/acpi/scan.c:1825
acpi_bus_check_add+0x21f/0x5f0 linux/drivers/acpi/scan.c:2081 page_owner free stack trace missing
Memory state around the buggy address:
ffff888014709e00: 00 fc fc fc fc fc fc fc 00 00 00 fc fc fc fc fc
ffff888014709e80: 00 00 00 fc fc fc fc fc 07 fc fc fc fc fc fc fc
>ffff888014709f00: 00 04 fc fc fc fc fc fc 00 fc fc fc fc fc fc fc
^
ffff888014709f80: 00 00 00 06 fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801470a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
```
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
-- FURTHER DETAILS ------------------------------
Supporting files:
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@xxxxxxxxxxxxxx
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI -------------------- Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
Please contact us for further details or refer to:
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
<<attachment: ZDI-CAN-22042.zip>>
