cve/published/2025/CVE-2025-21776.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21776: USB: hub: Ignore non-compliant devices with too many configs or interfaces

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 USB: hub: Ignore non-compliant devices with too many configs or interfaces

 Robert Morris created a test program which can cause
 usb_hub_to_struct_hub() to dereference a NULL or inappropriate
 pointer:

 Oops: general protection fault, probably for non-canonical address
 0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
 CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14
 Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
 Workqueue: usb_hub_wq hub_event
 RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110
 ...
 Call Trace:
  <TASK>
  ? die_addr+0x31/0x80
  ? exc_general_protection+0x1b4/0x3c0
  ? asm_exc_general_protection+0x26/0x30
  ? usb_hub_adjust_deviceremovable+0x78/0x110
  hub_probe+0x7c7/0xab0
  usb_probe_interface+0x14b/0x350
  really_probe+0xd0/0x2d0
  ? __pfx___device_attach_driver+0x10/0x10
  __driver_probe_device+0x6e/0x110
  driver_probe_device+0x1a/0x90
  __device_attach_driver+0x7e/0xc0
  bus_for_each_drv+0x7f/0xd0
  __device_attach+0xaa/0x1a0
  bus_probe_device+0x8b/0xa0
  device_add+0x62e/0x810
  usb_set_configuration+0x65d/0x990
  usb_generic_driver_probe+0x4b/0x70
  usb_probe_device+0x36/0xd0

 The cause of this error is that the device has two interfaces, and the
 hub driver binds to interface 1 instead of interface 0, which is where
 usb_hub_to_struct_hub() looks.

 We can prevent the problem from occurring by refusing to accept hub
 devices that violate the USB spec by having more than one
 configuration or interface.

 The Linux kernel CVE team has assigned CVE-2025-21776 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.291 with commit 49f077106fa07919a6a6dda99bb490dd1d1a8218
 	Fixed in 5.10.235 with commit d343fe0fad5c1d689775f2dda24a85ce98e29566
 	Fixed in 5.15.179 with commit d3a67adb365cdfdac4620daf38a82e57ca45806c
 	Fixed in 6.1.129 with commit c3720b04df84b5459050ae4e03ec7d545652f897
 	Fixed in 6.6.79 with commit e905a0fca7bff0855d312c16f71e60e1773b393e
 	Fixed in 6.12.16 with commit 62d8f4c5454dd39aded4f343720d1c5a1803cfef
 	Fixed in 6.13.4 with commit 5b9778e1fe715700993ce436c152dc3b7df0b490
 	Fixed in 6.14 with commit 2240fed37afbcdb5e8b627bc7ad986891100e05d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21776
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/core/hub.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/49f077106fa07919a6a6dda99bb490dd1d1a8218
 	https://git.kernel.org/stable/c/d343fe0fad5c1d689775f2dda24a85ce98e29566
 	https://git.kernel.org/stable/c/d3a67adb365cdfdac4620daf38a82e57ca45806c
 	https://git.kernel.org/stable/c/c3720b04df84b5459050ae4e03ec7d545652f897
 	https://git.kernel.org/stable/c/e905a0fca7bff0855d312c16f71e60e1773b393e
 	https://git.kernel.org/stable/c/62d8f4c5454dd39aded4f343720d1c5a1803cfef
 	https://git.kernel.org/stable/c/5b9778e1fe715700993ce436c152dc3b7df0b490
 	https://git.kernel.org/stable/c/2240fed37afbcdb5e8b627bc7ad986891100e05d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21776: USB: hub: Ignore non-compliant devices with too many configs or interfaces

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	USB: hub: Ignore non-compliant devices with too many configs or interfaces

	Robert Morris created a test program which can cause
	usb_hub_to_struct_hub() to dereference a NULL or inappropriate
	pointer:

	Oops: general protection fault, probably for non-canonical address
	0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
	CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14
	Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
	Workqueue: usb_hub_wq hub_event
	RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110
	...
	Call Trace:
	<TASK>
	? die_addr+0x31/0x80
	? exc_general_protection+0x1b4/0x3c0
	? asm_exc_general_protection+0x26/0x30
	? usb_hub_adjust_deviceremovable+0x78/0x110
	hub_probe+0x7c7/0xab0
	usb_probe_interface+0x14b/0x350
	really_probe+0xd0/0x2d0
	? __pfx___device_attach_driver+0x10/0x10
	__driver_probe_device+0x6e/0x110
	driver_probe_device+0x1a/0x90
	__device_attach_driver+0x7e/0xc0
	bus_for_each_drv+0x7f/0xd0
	__device_attach+0xaa/0x1a0
	bus_probe_device+0x8b/0xa0
	device_add+0x62e/0x810
	usb_set_configuration+0x65d/0x990
	usb_generic_driver_probe+0x4b/0x70
	usb_probe_device+0x36/0xd0

	The cause of this error is that the device has two interfaces, and the
	hub driver binds to interface 1 instead of interface 0, which is where
	usb_hub_to_struct_hub() looks.

	We can prevent the problem from occurring by refusing to accept hub
	devices that violate the USB spec by having more than one
	configuration or interface.

	The Linux kernel CVE team has assigned CVE-2025-21776 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.291 with commit 49f077106fa07919a6a6dda99bb490dd1d1a8218
	Fixed in 5.10.235 with commit d343fe0fad5c1d689775f2dda24a85ce98e29566
	Fixed in 5.15.179 with commit d3a67adb365cdfdac4620daf38a82e57ca45806c
	Fixed in 6.1.129 with commit c3720b04df84b5459050ae4e03ec7d545652f897
	Fixed in 6.6.79 with commit e905a0fca7bff0855d312c16f71e60e1773b393e
	Fixed in 6.12.16 with commit 62d8f4c5454dd39aded4f343720d1c5a1803cfef
	Fixed in 6.13.4 with commit 5b9778e1fe715700993ce436c152dc3b7df0b490
	Fixed in 6.14 with commit 2240fed37afbcdb5e8b627bc7ad986891100e05d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21776
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/core/hub.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/49f077106fa07919a6a6dda99bb490dd1d1a8218
	https://git.kernel.org/stable/c/d343fe0fad5c1d689775f2dda24a85ce98e29566
	https://git.kernel.org/stable/c/d3a67adb365cdfdac4620daf38a82e57ca45806c
	https://git.kernel.org/stable/c/c3720b04df84b5459050ae4e03ec7d545652f897
	https://git.kernel.org/stable/c/e905a0fca7bff0855d312c16f71e60e1773b393e
	https://git.kernel.org/stable/c/62d8f4c5454dd39aded4f343720d1c5a1803cfef
	https://git.kernel.org/stable/c/5b9778e1fe715700993ce436c152dc3b7df0b490
	https://git.kernel.org/stable/c/2240fed37afbcdb5e8b627bc7ad986891100e05d