cve/published/2024/CVE-2024-57913.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57913: usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

 This commit addresses an issue related to below kernel panic where
 panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON
 in functionsfs_bind, which easily leads to the following scenarios.

 1.adb_write in adbd               2. UDC write via configfs
   =================	             =====================

 ->usb_ffs_open_thread()           ->UDC write
  ->open_functionfs()               ->configfs_write_iter()
   ->adb_open()                      ->gadget_dev_desc_UDC_store()
    ->adb_write()                     ->usb_gadget_register_driver_owner
                                       ->driver_register()
 ->StartMonitor()                       ->bus_add_driver()
  ->adb_read()                           ->gadget_bind_driver()
 <times-out without BIND event>           ->configfs_composite_bind()
                                           ->usb_add_function()
 ->open_functionfs()                        ->ffs_func_bind()
  ->adb_open()                               ->functionfs_bind()
                                        <ffs->state !=FFS_ACTIVE>

 The adb_open, adb_read, and adb_write operations are invoked from the
 daemon, but trying to bind the function is a process that is invoked by
 UDC write through configfs, which opens up the possibility of a race
 condition between the two paths. In this race scenario, the kernel panic
 occurs due to the WARN_ON from functionfs_bind when panic_on_warn is
 enabled. This commit fixes the kernel panic by removing the unnecessary
 WARN_ON.

 Kernel panic - not syncing: kernel: panic_on_warn set ...
 [   14.542395] Call trace:
 [   14.542464]  ffs_func_bind+0x1c8/0x14a8
 [   14.542468]  usb_add_function+0xcc/0x1f0
 [   14.542473]  configfs_composite_bind+0x468/0x588
 [   14.542478]  gadget_bind_driver+0x108/0x27c
 [   14.542483]  really_probe+0x190/0x374
 [   14.542488]  __driver_probe_device+0xa0/0x12c
 [   14.542492]  driver_probe_device+0x3c/0x220
 [   14.542498]  __driver_attach+0x11c/0x1fc
 [   14.542502]  bus_for_each_dev+0x104/0x160
 [   14.542506]  driver_attach+0x24/0x34
 [   14.542510]  bus_add_driver+0x154/0x270
 [   14.542514]  driver_register+0x68/0x104
 [   14.542518]  usb_gadget_register_driver_owner+0x48/0xf4
 [   14.542523]  gadget_dev_desc_UDC_store+0xf8/0x144
 [   14.542526]  configfs_write_iter+0xf0/0x138

 The Linux kernel CVE team has assigned CVE-2024-57913 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.4.290 with commit bfe60030fcd976e3546e1f73d6d0eb3fea26442e
 	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.10.234 with commit 3e4d32cc145955d5c56c5498a3ff057e4aafa9d1
 	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.15.177 with commit 19fc1c83454ca9d5699e39633ec79ce26355251c
 	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.1.125 with commit 82f60f3600aecd9ffcd0fbc4e193694511c85b47
 	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.6.72 with commit ea6a1498742430eb2effce0d1439ff29ef37dd7d
 	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.12.10 with commit a8b6a18b9b66cc4c016d63132b59ce5383f7cdd2
 	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.13 with commit dfc51e48bca475bbee984e90f33fdc537ce09699

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57913
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/gadget/function/f_fs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bfe60030fcd976e3546e1f73d6d0eb3fea26442e
 	https://git.kernel.org/stable/c/3e4d32cc145955d5c56c5498a3ff057e4aafa9d1
 	https://git.kernel.org/stable/c/19fc1c83454ca9d5699e39633ec79ce26355251c
 	https://git.kernel.org/stable/c/82f60f3600aecd9ffcd0fbc4e193694511c85b47
 	https://git.kernel.org/stable/c/ea6a1498742430eb2effce0d1439ff29ef37dd7d
 	https://git.kernel.org/stable/c/a8b6a18b9b66cc4c016d63132b59ce5383f7cdd2
 	https://git.kernel.org/stable/c/dfc51e48bca475bbee984e90f33fdc537ce09699
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57913: usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

	This commit addresses an issue related to below kernel panic where
	panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON
	in functionsfs_bind, which easily leads to the following scenarios.

	1.adb_write in adbd 2. UDC write via configfs
	================= =====================

	->usb_ffs_open_thread() ->UDC write
	->open_functionfs() ->configfs_write_iter()
	->adb_open() ->gadget_dev_desc_UDC_store()
	->adb_write() ->usb_gadget_register_driver_owner
	->driver_register()
	->StartMonitor() ->bus_add_driver()
	->adb_read() ->gadget_bind_driver()
	<times-out without BIND event> ->configfs_composite_bind()
	->usb_add_function()
	->open_functionfs() ->ffs_func_bind()
	->adb_open() ->functionfs_bind()
	<ffs->state !=FFS_ACTIVE>

	The adb_open, adb_read, and adb_write operations are invoked from the
	daemon, but trying to bind the function is a process that is invoked by
	UDC write through configfs, which opens up the possibility of a race
	condition between the two paths. In this race scenario, the kernel panic
	occurs due to the WARN_ON from functionfs_bind when panic_on_warn is
	enabled. This commit fixes the kernel panic by removing the unnecessary
	WARN_ON.

	Kernel panic - not syncing: kernel: panic_on_warn set ...
	[ 14.542395] Call trace:
	[ 14.542464] ffs_func_bind+0x1c8/0x14a8
	[ 14.542468] usb_add_function+0xcc/0x1f0
	[ 14.542473] configfs_composite_bind+0x468/0x588
	[ 14.542478] gadget_bind_driver+0x108/0x27c
	[ 14.542483] really_probe+0x190/0x374
	[ 14.542488] __driver_probe_device+0xa0/0x12c
	[ 14.542492] driver_probe_device+0x3c/0x220
	[ 14.542498] __driver_attach+0x11c/0x1fc
	[ 14.542502] bus_for_each_dev+0x104/0x160
	[ 14.542506] driver_attach+0x24/0x34
	[ 14.542510] bus_add_driver+0x154/0x270
	[ 14.542514] driver_register+0x68/0x104
	[ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4
	[ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144
	[ 14.542526] configfs_write_iter+0xf0/0x138

	The Linux kernel CVE team has assigned CVE-2024-57913 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.4.290 with commit bfe60030fcd976e3546e1f73d6d0eb3fea26442e
	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.10.234 with commit 3e4d32cc145955d5c56c5498a3ff057e4aafa9d1
	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.15.177 with commit 19fc1c83454ca9d5699e39633ec79ce26355251c
	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.1.125 with commit 82f60f3600aecd9ffcd0fbc4e193694511c85b47
	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.6.72 with commit ea6a1498742430eb2effce0d1439ff29ef37dd7d
	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.12.10 with commit a8b6a18b9b66cc4c016d63132b59ce5383f7cdd2
	Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.13 with commit dfc51e48bca475bbee984e90f33fdc537ce09699

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57913
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/gadget/function/f_fs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bfe60030fcd976e3546e1f73d6d0eb3fea26442e
	https://git.kernel.org/stable/c/3e4d32cc145955d5c56c5498a3ff057e4aafa9d1
	https://git.kernel.org/stable/c/19fc1c83454ca9d5699e39633ec79ce26355251c
	https://git.kernel.org/stable/c/82f60f3600aecd9ffcd0fbc4e193694511c85b47
	https://git.kernel.org/stable/c/ea6a1498742430eb2effce0d1439ff29ef37dd7d
	https://git.kernel.org/stable/c/a8b6a18b9b66cc4c016d63132b59ce5383f7cdd2
	https://git.kernel.org/stable/c/dfc51e48bca475bbee984e90f33fdc537ce09699