cve/rejected/2024/CVE-2024-57915.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57915: usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null

 Considering that in some extreme cases, when performing the
 unbinding operation, gserial_disconnect has cleared gser->ioport,
 which triggers gadget reconfiguration, and then calls gs_read_complete,
 resulting in access to a null pointer. Therefore, ep is disabled before
 gserial_disconnect sets port to null to prevent this from happening.

 Call trace:
  gs_read_complete+0x58/0x240
  usb_gadget_giveback_request+0x40/0x160
  dwc3_remove_requests+0x170/0x484
  dwc3_ep0_out_start+0xb0/0x1d4
  __dwc3_gadget_start+0x25c/0x720
  kretprobe_trampoline.cfi_jt+0x0/0x8
  kretprobe_trampoline.cfi_jt+0x0/0x8
  udc_bind_to_driver+0x1d8/0x300
  usb_gadget_probe_driver+0xa8/0x1dc
  gadget_dev_desc_UDC_store+0x13c/0x188
  configfs_write_iter+0x160/0x1f4
  vfs_write+0x2d0/0x40c
  ksys_write+0x7c/0xf0
  __arm64_sys_write+0x20/0x30
  invoke_syscall+0x60/0x150
  el0_svc_common+0x8c/0xf8
  do_el0_svc+0x28/0xa0
  el0_svc+0x24/0x84

 The Linux kernel CVE team has assigned CVE-2024-57915 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 5.4.290 with commit f5f33fb57aae12e4b0add79e0242f458ea0bc510
 	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 5.10.234 with commit 1062b648bff63ed62b2d47a045e08ea9741d98ea
 	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 5.15.177 with commit d2de56cc45ee447f005d63217e84988b4f02faa9
 	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 6.1.125 with commit 3d730e8758c75b68a0152ee1ac48a270ea6725b4
 	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 6.6.72 with commit 0c50f00cc29948184af05bda31392fff5821f4f3
 	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 6.12.10 with commit 8e122d780a0f19aefd700dbd0b0e3ed3af0ae97f
 	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 6.13 with commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57915
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/gadget/function/u_serial.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f5f33fb57aae12e4b0add79e0242f458ea0bc510
 	https://git.kernel.org/stable/c/1062b648bff63ed62b2d47a045e08ea9741d98ea
 	https://git.kernel.org/stable/c/d2de56cc45ee447f005d63217e84988b4f02faa9
 	https://git.kernel.org/stable/c/3d730e8758c75b68a0152ee1ac48a270ea6725b4
 	https://git.kernel.org/stable/c/0c50f00cc29948184af05bda31392fff5821f4f3
 	https://git.kernel.org/stable/c/8e122d780a0f19aefd700dbd0b0e3ed3af0ae97f
 	https://git.kernel.org/stable/c/13014969cbf07f18d62ceea40bd8ca8ec9d36cec
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57915: usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null

	Considering that in some extreme cases, when performing the
	unbinding operation, gserial_disconnect has cleared gser->ioport,
	which triggers gadget reconfiguration, and then calls gs_read_complete,
	resulting in access to a null pointer. Therefore, ep is disabled before
	gserial_disconnect sets port to null to prevent this from happening.

	Call trace:
	gs_read_complete+0x58/0x240
	usb_gadget_giveback_request+0x40/0x160
	dwc3_remove_requests+0x170/0x484
	dwc3_ep0_out_start+0xb0/0x1d4
	__dwc3_gadget_start+0x25c/0x720
	kretprobe_trampoline.cfi_jt+0x0/0x8
	kretprobe_trampoline.cfi_jt+0x0/0x8
	udc_bind_to_driver+0x1d8/0x300
	usb_gadget_probe_driver+0xa8/0x1dc
	gadget_dev_desc_UDC_store+0x13c/0x188
	configfs_write_iter+0x160/0x1f4
	vfs_write+0x2d0/0x40c
	ksys_write+0x7c/0xf0
	__arm64_sys_write+0x20/0x30
	invoke_syscall+0x60/0x150
	el0_svc_common+0x8c/0xf8
	do_el0_svc+0x28/0xa0
	el0_svc+0x24/0x84

	The Linux kernel CVE team has assigned CVE-2024-57915 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 5.4.290 with commit f5f33fb57aae12e4b0add79e0242f458ea0bc510
	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 5.10.234 with commit 1062b648bff63ed62b2d47a045e08ea9741d98ea
	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 5.15.177 with commit d2de56cc45ee447f005d63217e84988b4f02faa9
	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 6.1.125 with commit 3d730e8758c75b68a0152ee1ac48a270ea6725b4
	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 6.6.72 with commit 0c50f00cc29948184af05bda31392fff5821f4f3
	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 6.12.10 with commit 8e122d780a0f19aefd700dbd0b0e3ed3af0ae97f
	Issue introduced in 2.6.27 with commit c1dca562be8ada614ef193aa246c6f8705bcd6b9 and fixed in 6.13 with commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57915
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/gadget/function/u_serial.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f5f33fb57aae12e4b0add79e0242f458ea0bc510
	https://git.kernel.org/stable/c/1062b648bff63ed62b2d47a045e08ea9741d98ea
	https://git.kernel.org/stable/c/d2de56cc45ee447f005d63217e84988b4f02faa9
	https://git.kernel.org/stable/c/3d730e8758c75b68a0152ee1ac48a270ea6725b4
	https://git.kernel.org/stable/c/0c50f00cc29948184af05bda31392fff5821f4f3
	https://git.kernel.org/stable/c/8e122d780a0f19aefd700dbd0b0e3ed3af0ae97f
	https://git.kernel.org/stable/c/13014969cbf07f18d62ceea40bd8ca8ec9d36cec