cve/published/2024/CVE-2024-36894.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36894: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete

 FFS based applications can utilize the aio_cancel() callback to dequeue
 pending USB requests submitted to the UDC.  There is a scenario where the
 FFS application issues an AIO cancel call, while the UDC is handling a
 soft disconnect.  For a DWC3 based implementation, the callstack looks
 like the following:

     DWC3 Gadget                               FFS Application
 dwc3_gadget_soft_disconnect()              ...
   --> dwc3_stop_active_transfers()
     --> dwc3_gadget_giveback(-ESHUTDOWN)
       --> ffs_epfile_async_io_complete()   ffs_aio_cancel()
         --> usb_ep_free_request()            --> usb_ep_dequeue()

 There is currently no locking implemented between the AIO completion
 handler and AIO cancel, so the issue occurs if the completion routine is
 running in parallel to an AIO cancel call coming from the FFS application.
 As the completion call frees the USB request (io_data->req) the FFS
 application is also referencing it for the usb_ep_dequeue() call.  This can
 lead to accessing a stale/hanging pointer.

 commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
 relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
 However, in order to properly implement locking to mitigate this issue, the
 spinlock can't be added to ffs_epfile_async_io_complete(), as
 usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
 function driver's completion handler in the same context.  Hence, leading
 into a deadlock.

 Fix this issue by moving the usb_ep_free_request() back to
 ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
 to NULL after freeing it within the ffs->eps_lock.  This resolves the race
 condition above, as the ffs_aio_cancel() routine will not continue
 attempting to dequeue a request that has already been freed, or the
 ffs_user_copy_work() not freeing the USB request until the AIO cancel is
 done referencing it.

 This fix depends on
   commit b566d38857fc ("usb: gadget: f_fs: use io_data->status
   consistently")

 The Linux kernel CVE team has assigned CVE-2024-36894 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 4.19.317 with commit f71a53148ce34898fef099b75386a3a9f4449311
 	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 5.4.279 with commit 9e72ef59cbe61cd1243857a6418ca92104275867
 	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 5.10.221 with commit e500b1c4e29ad0bd1c1332a1eaea2913627a92dd
 	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 5.15.162 with commit 3613e5023f09b3308545e9d1acda86017ebd418a
 	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 6.1.95 with commit a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14
 	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 6.6.31 with commit 73c05ad46bb4fbbdb346004651576d1c8dbcffbb
 	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 6.8.10 with commit d7461830823242702f5d84084bcccb25159003f4
 	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 6.9 with commit 24729b307eefcd7c476065cd7351c1a018082c19

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36894
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/gadget/function/f_fs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311
 	https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867
 	https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd
 	https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a
 	https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14
 	https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb
 	https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4
 	https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36894: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete

	FFS based applications can utilize the aio_cancel() callback to dequeue
	pending USB requests submitted to the UDC. There is a scenario where the
	FFS application issues an AIO cancel call, while the UDC is handling a
	soft disconnect. For a DWC3 based implementation, the callstack looks
	like the following:

	DWC3 Gadget FFS Application
	dwc3_gadget_soft_disconnect() ...
	--> dwc3_stop_active_transfers()
	--> dwc3_gadget_giveback(-ESHUTDOWN)
	--> ffs_epfile_async_io_complete() ffs_aio_cancel()
	--> usb_ep_free_request() --> usb_ep_dequeue()

	There is currently no locking implemented between the AIO completion
	handler and AIO cancel, so the issue occurs if the completion routine is
	running in parallel to an AIO cancel call coming from the FFS application.
	As the completion call frees the USB request (io_data->req) the FFS
	application is also referencing it for the usb_ep_dequeue() call. This can
	lead to accessing a stale/hanging pointer.

	commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
	relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
	However, in order to properly implement locking to mitigate this issue, the
	spinlock can't be added to ffs_epfile_async_io_complete(), as
	usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
	function driver's completion handler in the same context. Hence, leading
	into a deadlock.

	Fix this issue by moving the usb_ep_free_request() back to
	ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
	to NULL after freeing it within the ffs->eps_lock. This resolves the race
	condition above, as the ffs_aio_cancel() routine will not continue
	attempting to dequeue a request that has already been freed, or the
	ffs_user_copy_work() not freeing the USB request until the AIO cancel is
	done referencing it.

	This fix depends on
	commit b566d38857fc ("usb: gadget: f_fs: use io_data->status
	consistently")

	The Linux kernel CVE team has assigned CVE-2024-36894 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 4.19.317 with commit f71a53148ce34898fef099b75386a3a9f4449311
	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 5.4.279 with commit 9e72ef59cbe61cd1243857a6418ca92104275867
	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 5.10.221 with commit e500b1c4e29ad0bd1c1332a1eaea2913627a92dd
	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 5.15.162 with commit 3613e5023f09b3308545e9d1acda86017ebd418a
	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 6.1.95 with commit a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14
	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 6.6.31 with commit 73c05ad46bb4fbbdb346004651576d1c8dbcffbb
	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 6.8.10 with commit d7461830823242702f5d84084bcccb25159003f4
	Issue introduced in 3.15 with commit 2e4c7553cd6f9c68bb741582dcb614edcbeca70f and fixed in 6.9 with commit 24729b307eefcd7c476065cd7351c1a018082c19

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36894
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/gadget/function/f_fs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311
	https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867
	https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd
	https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a
	https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14
	https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb
	https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4
	https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19