Close Menu

    CVE-2025-38153 – Allegro USB Network AQC111 Uninitialized Memory Access Vulnerability

    CVE ID : CVE-2025-38153

    Published : July 3, 2025, 9:15 a.m. | 2 hours, 14 minutes ago

    Description : In the Linux kernel, the following vulnerability has been resolved:

    net: usb: aqc111: fix error handling of usbnet read calls

    Syzkaller, courtesy of syzbot, identified an error (see report [1]) in
    aqc111 driver, caused by incomplete sanitation of usb read calls’
    results. This problem is quite similar to the one fixed in commit
    920a9fa27e78 (“net: asix: add proper error handling of usb read errors”).

    For instance, usbnet_read_cmd() may read fewer than ‘size’ bytes,
    even if the caller expected the full amount, and aqc111_read_cmd()
    will not check its result properly. As [1] shows, this may lead
    to MAC address in aqc111_bind() being only partly initialized,
    triggering KMSAN warnings.

    Fix the issue by verifying that the number of bytes read is
    as expected and not less.

    [1] Partial syzbot report:
    BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
    BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
    is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
    usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
    usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
    call_driver_probe drivers/base/dd.c:-1 [inline]
    really_probe+0x4d1/0xd90 drivers/base/dd.c:658
    __driver_probe_device+0x268/0x380 drivers/base/dd.c:800

    Uninit was stored to memory at:
    dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582
    __dev_addr_set include/linux/netdevice.h:4874 [inline]
    eth_hw_addr_set include/linux/etherdevice.h:325 [inline]
    aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717
    usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
    usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396

    Uninit was stored to memory at:
    ether_addr_copy include/linux/etherdevice.h:305 [inline]
    aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]
    aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713
    usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
    usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
    call_driver_probe drivers/base/dd.c:-1 [inline]

    Local variable buf.i created at:
    aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]
    aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713
    usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772

    Severity: 0.0 | NA

    Visit the link for more details, such as CVSS details, affected products, timeline, and more…

    Source: Read More

    Related Posts

    Leave A Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.