cve/published/2022/CVE-2022-49299.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49299: usb: dwc2: gadget: don't reset gadget's driver->bus

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: dwc2: gadget: don't reset gadget's driver->bus

 UDC driver should not touch gadget's driver internals, especially it
 should not reset driver->bus. This wasn't harmful so far, but since
 commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget
 subsystem got it's own bus and messing with ->bus triggers the
 following NULL pointer dereference:

 dwc2 12480000.hsotg: bound driver g_ether
 8<--- cut here ---
 Unable to handle kernel NULL pointer dereference at virtual address 00000000
 [00000000] *pgd=00000000
 Internal error: Oops: 5 [#1] SMP ARM
 Modules linked in: ...
 CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862
 Hardware name: Samsung Exynos (Flattened Device Tree)
 PC is at module_add_driver+0x44/0xe8
 LR is at sysfs_do_create_link_sd+0x84/0xe0
 ...
 Process modprobe (pid: 620, stack limit = 0x(ptrval))
 ...
  module_add_driver from bus_add_driver+0xf4/0x1e4
  bus_add_driver from driver_register+0x78/0x10c
  driver_register from usb_gadget_register_driver_owner+0x40/0xb4
  usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0
  do_one_initcall from do_init_module+0x44/0x1c8
  do_init_module from load_module+0x19b8/0x1b9c
  load_module from sys_finit_module+0xdc/0xfc
  sys_finit_module from ret_fast_syscall+0x0/0x54
 Exception stack(0xf1771fa8 to 0xf1771ff0)
 ...
 dwc2 12480000.hsotg: new device is high-speed
 ---[ end trace 0000000000000000 ]---

 Fix this by removing driver->bus entry reset.

 The Linux kernel CVE team has assigned CVE-2022-49299 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.318 with commit 5127c0f365265bb69cd776ad6e4b872c309f3fa8
 	Fixed in 4.14.283 with commit efb15ff4a77fe053c941281775fefa91c87770e0
 	Fixed in 4.19.247 with commit bee8f9808a7e82addfc73a0973b16a8bb684205b
 	Fixed in 5.4.198 with commit d232ca0bbc7d03144bad0ffd1792c3352bfd03fa
 	Fixed in 5.10.122 with commit 5b0c0298f7c3b57417f1729ec4071f76864b72dd
 	Fixed in 5.15.47 with commit 547ebdc200b862dff761ff4890f66d8217c33316
 	Fixed in 5.17.15 with commit 172cfc167c8ee6238f24f9c16efd598602af643c
 	Fixed in 5.18.4 with commit d2159feb9d28ce496d77df98313ab454646372ac
 	Fixed in 5.19 with commit 3120aac6d0ecd9accf56894aeac0e265f74d3d5a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49299
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/dwc2/gadget.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5127c0f365265bb69cd776ad6e4b872c309f3fa8
 	https://git.kernel.org/stable/c/efb15ff4a77fe053c941281775fefa91c87770e0
 	https://git.kernel.org/stable/c/bee8f9808a7e82addfc73a0973b16a8bb684205b
 	https://git.kernel.org/stable/c/d232ca0bbc7d03144bad0ffd1792c3352bfd03fa
 	https://git.kernel.org/stable/c/5b0c0298f7c3b57417f1729ec4071f76864b72dd
 	https://git.kernel.org/stable/c/547ebdc200b862dff761ff4890f66d8217c33316
 	https://git.kernel.org/stable/c/172cfc167c8ee6238f24f9c16efd598602af643c
 	https://git.kernel.org/stable/c/d2159feb9d28ce496d77df98313ab454646372ac
 	https://git.kernel.org/stable/c/3120aac6d0ecd9accf56894aeac0e265f74d3d5a
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49299: usb: dwc2: gadget: don't reset gadget's driver->bus

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: dwc2: gadget: don't reset gadget's driver->bus

	UDC driver should not touch gadget's driver internals, especially it
	should not reset driver->bus. This wasn't harmful so far, but since
	commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget
	subsystem got it's own bus and messing with ->bus triggers the
	following NULL pointer dereference:

	dwc2 12480000.hsotg: bound driver g_ether
	8<--- cut here ---
	Unable to handle kernel NULL pointer dereference at virtual address 00000000
	[00000000] *pgd=00000000
	Internal error: Oops: 5 [#1] SMP ARM
	Modules linked in: ...
	CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862
	Hardware name: Samsung Exynos (Flattened Device Tree)
	PC is at module_add_driver+0x44/0xe8
	LR is at sysfs_do_create_link_sd+0x84/0xe0
	...
	Process modprobe (pid: 620, stack limit = 0x(ptrval))
	...
	module_add_driver from bus_add_driver+0xf4/0x1e4
	bus_add_driver from driver_register+0x78/0x10c
	driver_register from usb_gadget_register_driver_owner+0x40/0xb4
	usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0
	do_one_initcall from do_init_module+0x44/0x1c8
	do_init_module from load_module+0x19b8/0x1b9c
	load_module from sys_finit_module+0xdc/0xfc
	sys_finit_module from ret_fast_syscall+0x0/0x54
	Exception stack(0xf1771fa8 to 0xf1771ff0)
	...
	dwc2 12480000.hsotg: new device is high-speed
	---[ end trace 0000000000000000 ]---

	Fix this by removing driver->bus entry reset.

	The Linux kernel CVE team has assigned CVE-2022-49299 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.318 with commit 5127c0f365265bb69cd776ad6e4b872c309f3fa8
	Fixed in 4.14.283 with commit efb15ff4a77fe053c941281775fefa91c87770e0
	Fixed in 4.19.247 with commit bee8f9808a7e82addfc73a0973b16a8bb684205b
	Fixed in 5.4.198 with commit d232ca0bbc7d03144bad0ffd1792c3352bfd03fa
	Fixed in 5.10.122 with commit 5b0c0298f7c3b57417f1729ec4071f76864b72dd
	Fixed in 5.15.47 with commit 547ebdc200b862dff761ff4890f66d8217c33316
	Fixed in 5.17.15 with commit 172cfc167c8ee6238f24f9c16efd598602af643c
	Fixed in 5.18.4 with commit d2159feb9d28ce496d77df98313ab454646372ac
	Fixed in 5.19 with commit 3120aac6d0ecd9accf56894aeac0e265f74d3d5a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49299
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/dwc2/gadget.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5127c0f365265bb69cd776ad6e4b872c309f3fa8
	https://git.kernel.org/stable/c/efb15ff4a77fe053c941281775fefa91c87770e0
	https://git.kernel.org/stable/c/bee8f9808a7e82addfc73a0973b16a8bb684205b
	https://git.kernel.org/stable/c/d232ca0bbc7d03144bad0ffd1792c3352bfd03fa
	https://git.kernel.org/stable/c/5b0c0298f7c3b57417f1729ec4071f76864b72dd
	https://git.kernel.org/stable/c/547ebdc200b862dff761ff4890f66d8217c33316
	https://git.kernel.org/stable/c/172cfc167c8ee6238f24f9c16efd598602af643c
	https://git.kernel.org/stable/c/d2159feb9d28ce496d77df98313ab454646372ac
	https://git.kernel.org/stable/c/3120aac6d0ecd9accf56894aeac0e265f74d3d5a