cve/published/2025/CVE-2025-21916.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21916: usb: atm: cxacru: fix a flaw in existing endpoint checks

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: atm: cxacru: fix a flaw in existing endpoint checks

 Syzbot once again identified a flaw in usb endpoint checking, see [1].
 This time the issue stems from a commit authored by me (2eabb655a968
 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")).

 While using usb_find_common_endpoints() may usually be enough to
 discard devices with wrong endpoints, in this case one needs more
 than just finding and identifying the sufficient number of endpoints
 of correct types - one needs to check the endpoint's address as well.

 Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind,
 switch the endpoint verification approach to usb_check_XXX_endpoints()
 instead to fix incomplete ep testing.

 [1] Syzbot report:
 usb 5-1: BOGUS urb xfer, pipe 3 != type 1
 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
 ...
 RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
 ...
 Call Trace:
  <TASK>
  cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649
  cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline]
  cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223
  usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058
  cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377
  usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396
  really_probe+0x2b9/0xad0 drivers/base/dd.c:658
  __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
  driver_probe_device+0x50/0x430 drivers/base/dd.c:830
 ...

 The Linux kernel CVE team has assigned CVE-2025-21916 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.279 with commit 23926d316d2836315cb113569f91393266eb5b47 and fixed in 5.4.291 with commit dcd592ab9dd8a2bfc36e75583b9006db2a77ec24
 	Issue introduced in 5.10.221 with commit 75ddbf776dd04a09fb9e5267ead5d0c989f84506 and fixed in 5.10.235 with commit 319529e0356bd904528c64647725a2272d297c83
 	Issue introduced in 5.15.162 with commit 1aac4be1aaa5177506219f01dce5e29194e5e95a and fixed in 5.15.179 with commit bf4409f84023b52b5e9b36c0a071a121eee42138
 	Issue introduced in 6.1.97 with commit 5584c776a1af7807ca815ee6265f2c1429fc5727 and fixed in 6.1.131 with commit 197e78076c5ecd895f109158c4ea2954b9919af6
 	Issue introduced in 6.6.37 with commit f536f09eb45e4de8d1b9accee9d992aa1846f1d4 and fixed in 6.6.83 with commit a0475a885d69849b1ade38add6d64338dfa83a8f
 	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.12.19 with commit cfc295f7cccf66cbd5123416bcf1bee2e1bd37de
 	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.13.7 with commit 903b80c21458bb1e34c3a78c5fdc553821e357f8
 	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.14 with commit c90aad369899a607cfbc002bebeafd51e31900cd
 	Issue introduced in 4.19.317 with commit 5159a81924311c1ec786ad9fdef784ead8676a6a
 	Issue introduced in 6.9.8 with commit ac9007520e392541a29daebaae8b9109007bc781

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21916
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/atm/cxacru.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/dcd592ab9dd8a2bfc36e75583b9006db2a77ec24
 	https://git.kernel.org/stable/c/319529e0356bd904528c64647725a2272d297c83
 	https://git.kernel.org/stable/c/bf4409f84023b52b5e9b36c0a071a121eee42138
 	https://git.kernel.org/stable/c/197e78076c5ecd895f109158c4ea2954b9919af6
 	https://git.kernel.org/stable/c/a0475a885d69849b1ade38add6d64338dfa83a8f
 	https://git.kernel.org/stable/c/cfc295f7cccf66cbd5123416bcf1bee2e1bd37de
 	https://git.kernel.org/stable/c/903b80c21458bb1e34c3a78c5fdc553821e357f8
 	https://git.kernel.org/stable/c/c90aad369899a607cfbc002bebeafd51e31900cd
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21916: usb: atm: cxacru: fix a flaw in existing endpoint checks

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: atm: cxacru: fix a flaw in existing endpoint checks

	Syzbot once again identified a flaw in usb endpoint checking, see [1].
	This time the issue stems from a commit authored by me (2eabb655a968
	("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")).

	While using usb_find_common_endpoints() may usually be enough to
	discard devices with wrong endpoints, in this case one needs more
	than just finding and identifying the sufficient number of endpoints
	of correct types - one needs to check the endpoint's address as well.

	Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind,
	switch the endpoint verification approach to usb_check_XXX_endpoints()
	instead to fix incomplete ep testing.

	[1] Syzbot report:
	usb 5-1: BOGUS urb xfer, pipe 3 != type 1
	WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
	...
	RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
	...
	Call Trace:
	<TASK>
	cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649
	cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline]
	cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223
	usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058
	cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377
	usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396
	really_probe+0x2b9/0xad0 drivers/base/dd.c:658
	__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
	driver_probe_device+0x50/0x430 drivers/base/dd.c:830
	...

	The Linux kernel CVE team has assigned CVE-2025-21916 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.279 with commit 23926d316d2836315cb113569f91393266eb5b47 and fixed in 5.4.291 with commit dcd592ab9dd8a2bfc36e75583b9006db2a77ec24
	Issue introduced in 5.10.221 with commit 75ddbf776dd04a09fb9e5267ead5d0c989f84506 and fixed in 5.10.235 with commit 319529e0356bd904528c64647725a2272d297c83
	Issue introduced in 5.15.162 with commit 1aac4be1aaa5177506219f01dce5e29194e5e95a and fixed in 5.15.179 with commit bf4409f84023b52b5e9b36c0a071a121eee42138
	Issue introduced in 6.1.97 with commit 5584c776a1af7807ca815ee6265f2c1429fc5727 and fixed in 6.1.131 with commit 197e78076c5ecd895f109158c4ea2954b9919af6
	Issue introduced in 6.6.37 with commit f536f09eb45e4de8d1b9accee9d992aa1846f1d4 and fixed in 6.6.83 with commit a0475a885d69849b1ade38add6d64338dfa83a8f
	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.12.19 with commit cfc295f7cccf66cbd5123416bcf1bee2e1bd37de
	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.13.7 with commit 903b80c21458bb1e34c3a78c5fdc553821e357f8
	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.14 with commit c90aad369899a607cfbc002bebeafd51e31900cd
	Issue introduced in 4.19.317 with commit 5159a81924311c1ec786ad9fdef784ead8676a6a
	Issue introduced in 6.9.8 with commit ac9007520e392541a29daebaae8b9109007bc781

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21916
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/atm/cxacru.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/dcd592ab9dd8a2bfc36e75583b9006db2a77ec24
	https://git.kernel.org/stable/c/319529e0356bd904528c64647725a2272d297c83
	https://git.kernel.org/stable/c/bf4409f84023b52b5e9b36c0a071a121eee42138
	https://git.kernel.org/stable/c/197e78076c5ecd895f109158c4ea2954b9919af6
	https://git.kernel.org/stable/c/a0475a885d69849b1ade38add6d64338dfa83a8f
	https://git.kernel.org/stable/c/cfc295f7cccf66cbd5123416bcf1bee2e1bd37de
	https://git.kernel.org/stable/c/903b80c21458bb1e34c3a78c5fdc553821e357f8
	https://git.kernel.org/stable/c/c90aad369899a607cfbc002bebeafd51e31900cd