CVE-2022-49937

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-49937
In the Linux kernel, the following vulnerability has been resolved: media: mceusb: Use new usb_control_msg_*() routines Automatic kernel fuzzing led to a WARN about invalid pipe direction in the mceusb driver: ------------[ cut here ]------------ usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40 WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410 usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Code: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 <0f> 0b e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41 RSP: 0018:ffffc900032becf0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000 RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90 RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000 R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000 R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500 FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153 mceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline] mceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807 The reason for the warning is clear enough; the driver sends an unusual read request on endpoint 0 but does not set the USB_DIR_IN bit in the bRequestType field. More importantly, the whole situation can be avoided and the driver simplified by converting it over to the relatively new usb_control_msg_recv() and usb_control_msg_send() routines. That's what this fix does.

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/587f793c64d99d92be8ef01c4c69d885a3f2edb6 Patch
https://git.kernel.org/stable/c/608e58a0f4617977178131f5f68a3fce1d3f5316 Patch
https://git.kernel.org/stable/c/75913c562f5ba4cf397d835c63f443879167c6f6 Patch
https://git.kernel.org/stable/c/d69c738ac9310b56e84c51c8f09fc018a8291bc6 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*
History

14 Nov 2025, 20:25

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/587f793c64d99d92be8ef01c4c69d885a3f2edb6 - () https://git.kernel.org/stable/c/587f793c64d99d92be8ef01c4c69d885a3f2edb6 - Patch
References () https://git.kernel.org/stable/c/608e58a0f4617977178131f5f68a3fce1d3f5316 - () https://git.kernel.org/stable/c/608e58a0f4617977178131f5f68a3fce1d3f5316 - Patch
References () https://git.kernel.org/stable/c/75913c562f5ba4cf397d835c63f443879167c6f6 - () https://git.kernel.org/stable/c/75913c562f5ba4cf397d835c63f443879167c6f6 - Patch
References () https://git.kernel.org/stable/c/d69c738ac9310b56e84c51c8f09fc018a8291bc6 - () https://git.kernel.org/stable/c/d69c738ac9310b56e84c51c8f09fc018a8291bc6 - Patch
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: mceusb: Utilizar nuevas rutinas usb_control_msg_*() El fuzzing automático del kernel provocó una ADVERTENCIA sobre una dirección de tubería no válida en el controlador mceusb: ------------[ cortar aquí ]------------ usb 6-1: directorio de control FALSO, la tubería 80000380 no coincide con bRequestType 40 ADVERTENCIA: CPU: 0 PID: 2465 en drivers/usb/core/urb.c:410 usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Módulos vinculados: CPU: 0 PID: 2465 Comm: kworker/0:2 No contaminado 5.19.0-rc4-00208-g69cb6c6556ad #1 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 01/04/2014 Cola de trabajo: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Código: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 &lt;0f&gt; 0b e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 y siguientes 41 RSP: 0018:ffffc900032becf0 EFLAGS: 00010282 RAX: 000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000 RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90 RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 000000000000000 R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000 R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500 FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0 Seguimiento de llamadas: usb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153 mceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline] mceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807 El motivo de la advertencia es bastante claro; el controlador envía una solicitud de lectura inusual en el endpoint 0 pero no establece el bit USB_DIR_IN en el campo bRequestType. Más importante aún, se puede evitar toda la situación y simplificar el controlador al convertirlo a las relativamente nuevas rutinas usb_control_msg_recv() y usb_control_msg_send(). Esto es lo que hace esta corrección.
First Time Linux
Linux linux Kernel
CWE NVD-CWE-noinfo
CPE cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5

18 Jun 2025, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-18 11:15

Updated : 2025-11-14 20:25

NVD link : CVE-2022-49937

Mitre link : CVE-2022-49937

CVE.ORG link : CVE-2022-49937

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
NVD-CWE-noinfo