cve/published/2021/CVE-2021-47267.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47267: usb: fix various gadget panics on 10gbps cabling

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: fix various gadget panics on 10gbps cabling

 usb_assign_descriptors() is called with 5 parameters,
 the last 4 of which are the usb_descriptor_header for:
   full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),
   high-speed (USB2.0 - 480Mbps),
   super-speed (USB3.0 - 5Gbps),
   super-speed-plus (USB3.1 - 10Gbps).

 The differences between full/high/super-speed descriptors are usually
 substantial (due to changes in the maximum usb block size from 64 to 512
 to 1024 bytes and other differences in the specs), while the difference
 between 5 and 10Gbps descriptors may be as little as nothing
 (in many cases the same tuning is simply good enough).

 However if a gadget driver calls usb_assign_descriptors() with
 a NULL descriptor for super-speed-plus and is then used on a max 10gbps
 configuration, the kernel will crash with a null pointer dereference,
 when a 10gbps capable device port + cable + host port combination shows up.
 (This wouldn't happen if the gadget max-speed was set to 5gbps, but
 it of course defaults to the maximum, and there's no real reason to
 artificially limit it)

 The fix is to simply use the 5gbps descriptor as the 10gbps descriptor,
 if a 10gbps descriptor wasn't provided.

 Obviously this won't fix the problem if the 5gbps descriptor is also
 NULL, but such cases can't be so trivially solved (and any such gadgets
 are unlikely to be used with USB3 ports any way).

 The Linux kernel CVE team has assigned CVE-2021-47267 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 4.9.273 with commit fd24be23abf3e94260be0f00bb42c7e91d495f87
 	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 4.14.237 with commit 70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604
 	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 4.19.195 with commit 45f9a2fe737dc0a5df270787f2231aee8985cd59
 	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 5.4.126 with commit 5ef23506695b01d5d56a13a092a97f2478069d75
 	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 5.10.44 with commit b972eff874637402ddc4a7dd11fb22538a0b6d28
 	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 5.12.11 with commit ca6bc277430d90375452b60b047763a090b7673e
 	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 5.13 with commit 032e288097a553db5653af552dd8035cd2a0ba96

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47267
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/gadget/config.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87
 	https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604
 	https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59
 	https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75
 	https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28
 	https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e
 	https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47267: usb: fix various gadget panics on 10gbps cabling

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: fix various gadget panics on 10gbps cabling

	usb_assign_descriptors() is called with 5 parameters,
	the last 4 of which are the usb_descriptor_header for:
	full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),
	high-speed (USB2.0 - 480Mbps),
	super-speed (USB3.0 - 5Gbps),
	super-speed-plus (USB3.1 - 10Gbps).

	The differences between full/high/super-speed descriptors are usually
	substantial (due to changes in the maximum usb block size from 64 to 512
	to 1024 bytes and other differences in the specs), while the difference
	between 5 and 10Gbps descriptors may be as little as nothing
	(in many cases the same tuning is simply good enough).

	However if a gadget driver calls usb_assign_descriptors() with
	a NULL descriptor for super-speed-plus and is then used on a max 10gbps
	configuration, the kernel will crash with a null pointer dereference,
	when a 10gbps capable device port + cable + host port combination shows up.
	(This wouldn't happen if the gadget max-speed was set to 5gbps, but
	it of course defaults to the maximum, and there's no real reason to
	artificially limit it)

	The fix is to simply use the 5gbps descriptor as the 10gbps descriptor,
	if a 10gbps descriptor wasn't provided.

	Obviously this won't fix the problem if the 5gbps descriptor is also
	NULL, but such cases can't be so trivially solved (and any such gadgets
	are unlikely to be used with USB3 ports any way).

	The Linux kernel CVE team has assigned CVE-2021-47267 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 4.9.273 with commit fd24be23abf3e94260be0f00bb42c7e91d495f87
	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 4.14.237 with commit 70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604
	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 4.19.195 with commit 45f9a2fe737dc0a5df270787f2231aee8985cd59
	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 5.4.126 with commit 5ef23506695b01d5d56a13a092a97f2478069d75
	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 5.10.44 with commit b972eff874637402ddc4a7dd11fb22538a0b6d28
	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 5.12.11 with commit ca6bc277430d90375452b60b047763a090b7673e
	Issue introduced in 3.8 with commit 10287baec761d33f0a82d84b46e37a44030350d8 and fixed in 5.13 with commit 032e288097a553db5653af552dd8035cd2a0ba96

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47267
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/gadget/config.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87
	https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604
	https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59
	https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75
	https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28
	https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e
	https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96