cve/published/2021/CVE-2021-47269.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47269: usb: dwc3: ep0: fix NULL pointer exception

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: dwc3: ep0: fix NULL pointer exception

 There is no validation of the index from dwc3_wIndex_to_dep() and we might
 be referring a non-existing ep and trigger a NULL pointer exception. In
 certain configurations we might use fewer eps and the index might wrongly
 indicate a larger ep index than existing.

 By adding this validation from the patch we can actually report a wrong
 index back to the caller.

 In our usecase we are using a composite device on an older kernel, but
 upstream might use this fix also. Unfortunately, I cannot describe the
 hardware for others to reproduce the issue as it is a proprietary
 implementation.

 [   82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4
 [   82.966891] Mem abort info:
 [   82.969663]   ESR = 0x96000006
 [   82.972703]   Exception class = DABT (current EL), IL = 32 bits
 [   82.978603]   SET = 0, FnV = 0
 [   82.981642]   EA = 0, S1PTW = 0
 [   82.984765] Data abort info:
 [   82.987631]   ISV = 0, ISS = 0x00000006
 [   82.991449]   CM = 0, WnR = 0
 [   82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc
 [   83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000
 [   83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP
 [   83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)
 [   83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1
 [   83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)
 [   83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c
 [   83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94

 ...

 [   83.141788] Call trace:
 [   83.144227]  dwc3_ep0_handle_feature+0x414/0x43c
 [   83.148823]  dwc3_ep0_interrupt+0x3b4/0xc94
 [   83.181546] ---[ end trace aac6b5267d84c32f ]---

 The Linux kernel CVE team has assigned CVE-2021-47269 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.4.273 with commit 96b74a99d360235c24052f1d060e64ac53f43528
 	Fixed in 4.9.273 with commit 60156089f07e724e4dc8483702d5e1ede4522749
 	Fixed in 4.14.237 with commit 990dc90750772622d44ca2ea6652c521e6f67e16
 	Fixed in 4.19.195 with commit bd551e7c85939de2182010273450bfa78c3742fc
 	Fixed in 5.4.126 with commit 366369b89bedd59b1425386e8d4a18a466e420e4
 	Fixed in 5.10.44 with commit 470403639114895e2697c766fbe17be8d0e9b67a
 	Fixed in 5.12.11 with commit 788755756dd4a6aba1de479fec20b0fa600e7f19
 	Fixed in 5.13 with commit d00889080ab60051627dab1d85831cd9db750e2a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47269
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/dwc3/ep0.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/96b74a99d360235c24052f1d060e64ac53f43528
 	https://git.kernel.org/stable/c/60156089f07e724e4dc8483702d5e1ede4522749
 	https://git.kernel.org/stable/c/990dc90750772622d44ca2ea6652c521e6f67e16
 	https://git.kernel.org/stable/c/bd551e7c85939de2182010273450bfa78c3742fc
 	https://git.kernel.org/stable/c/366369b89bedd59b1425386e8d4a18a466e420e4
 	https://git.kernel.org/stable/c/470403639114895e2697c766fbe17be8d0e9b67a
 	https://git.kernel.org/stable/c/788755756dd4a6aba1de479fec20b0fa600e7f19
 	https://git.kernel.org/stable/c/d00889080ab60051627dab1d85831cd9db750e2a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47269: usb: dwc3: ep0: fix NULL pointer exception

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: dwc3: ep0: fix NULL pointer exception

	There is no validation of the index from dwc3_wIndex_to_dep() and we might
	be referring a non-existing ep and trigger a NULL pointer exception. In
	certain configurations we might use fewer eps and the index might wrongly
	indicate a larger ep index than existing.

	By adding this validation from the patch we can actually report a wrong
	index back to the caller.

	In our usecase we are using a composite device on an older kernel, but
	upstream might use this fix also. Unfortunately, I cannot describe the
	hardware for others to reproduce the issue as it is a proprietary
	implementation.

	[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4
	[ 82.966891] Mem abort info:
	[ 82.969663] ESR = 0x96000006
	[ 82.972703] Exception class = DABT (current EL), IL = 32 bits
	[ 82.978603] SET = 0, FnV = 0
	[ 82.981642] EA = 0, S1PTW = 0
	[ 82.984765] Data abort info:
	[ 82.987631] ISV = 0, ISS = 0x00000006
	[ 82.991449] CM = 0, WnR = 0
	[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc
	[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000
	[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP
	[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)
	[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1
	[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)
	[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c
	[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94

	...

	[ 83.141788] Call trace:
	[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c
	[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94
	[ 83.181546] ---[ end trace aac6b5267d84c32f ]---

	The Linux kernel CVE team has assigned CVE-2021-47269 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.4.273 with commit 96b74a99d360235c24052f1d060e64ac53f43528
	Fixed in 4.9.273 with commit 60156089f07e724e4dc8483702d5e1ede4522749
	Fixed in 4.14.237 with commit 990dc90750772622d44ca2ea6652c521e6f67e16
	Fixed in 4.19.195 with commit bd551e7c85939de2182010273450bfa78c3742fc
	Fixed in 5.4.126 with commit 366369b89bedd59b1425386e8d4a18a466e420e4
	Fixed in 5.10.44 with commit 470403639114895e2697c766fbe17be8d0e9b67a
	Fixed in 5.12.11 with commit 788755756dd4a6aba1de479fec20b0fa600e7f19
	Fixed in 5.13 with commit d00889080ab60051627dab1d85831cd9db750e2a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47269
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/dwc3/ep0.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/96b74a99d360235c24052f1d060e64ac53f43528
	https://git.kernel.org/stable/c/60156089f07e724e4dc8483702d5e1ede4522749
	https://git.kernel.org/stable/c/990dc90750772622d44ca2ea6652c521e6f67e16
	https://git.kernel.org/stable/c/bd551e7c85939de2182010273450bfa78c3742fc
	https://git.kernel.org/stable/c/366369b89bedd59b1425386e8d4a18a466e420e4
	https://git.kernel.org/stable/c/470403639114895e2697c766fbe17be8d0e9b67a
	https://git.kernel.org/stable/c/788755756dd4a6aba1de479fec20b0fa600e7f19
	https://git.kernel.org/stable/c/d00889080ab60051627dab1d85831cd9db750e2a