cve/published/2025/CVE-2025-22023.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22023: usb: xhci: Don't skip on Stopped - Length Invalid

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: xhci: Don't skip on Stopped - Length Invalid

 Up until commit d56b0b2ab142 ("usb: xhci: ensure skipped isoc TDs are
 returned when isoc ring is stopped") in v6.11, the driver didn't skip
 missed isochronous TDs when handling Stoppend and Stopped - Length
 Invalid events. Instead, it erroneously cleared the skip flag, which
 would cause the ring to get stuck, as future events won't match the
 missed TD which is never removed from the queue until it's cancelled.

 This buggy logic seems to have been in place substantially unchanged
 since the 3.x series over 10 years ago, which probably speaks first
 and foremost about relative rarity of this case in normal usage, but
 by the spec I see no reason why it shouldn't be possible.

 After d56b0b2ab142, TDs are immediately skipped when handling those
 Stopped events. This poses a potential problem in case of Stopped -
 Length Invalid, which occurs either on completed TDs (likely already
 given back) or Link and No-Op TRBs. Such event won't be recognized
 as matching any TD (unless it's the rare Link TRB inside a TD) and
 will result in skipping all pending TDs, giving them back possibly
 before they are done, risking isoc data loss and maybe UAF by HW.

 As a compromise, don't skip and don't clear the skip flag on this
 kind of event. Then the next event will skip missed TDs. A downside
 of not handling Stopped - Length Invalid on a Link inside a TD is
 that if the TD is cancelled, its actual length will not be updated
 to account for TRBs (silently) completed before the TD was stopped.

 I had no luck producing this sequence of completion events so there
 is no compelling demonstration of any resulting disaster. It may be
 a very rare, obscure condition. The sole motivation for this patch
 is that if such unlikely event does occur, I'd rather risk reporting
 a cancelled partially done isoc frame as empty than gamble with UAF.

 This will be fixed more properly by looking at Stopped event's TRB
 pointer when making skipping decisions, but such rework is unlikely
 to be backported to v6.12, which will stay around for a few years.

 The Linux kernel CVE team has assigned CVE-2025-22023 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.11 with commit d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 and fixed in 6.12.22 with commit 6af20ac254cbd0e1178a3542767c9308e209eee5
 	Issue introduced in 6.11 with commit d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 and fixed in 6.13.10 with commit 49cf6f5293aeb706dd672608478336a003f37df6
 	Issue introduced in 6.11 with commit d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 and fixed in 6.14.1 with commit de9e78167f760a699806793d7c987239e4f6c8c3
 	Issue introduced in 6.11 with commit d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 and fixed in 6.15 with commit 58d0a3fab5f4fdc112c16a4c6d382f62097afd1c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22023
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/host/xhci-ring.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6af20ac254cbd0e1178a3542767c9308e209eee5
 	https://git.kernel.org/stable/c/49cf6f5293aeb706dd672608478336a003f37df6
 	https://git.kernel.org/stable/c/de9e78167f760a699806793d7c987239e4f6c8c3
 	https://git.kernel.org/stable/c/58d0a3fab5f4fdc112c16a4c6d382f62097afd1c
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22023: usb: xhci: Don't skip on Stopped - Length Invalid

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: xhci: Don't skip on Stopped - Length Invalid

	Up until commit d56b0b2ab142 ("usb: xhci: ensure skipped isoc TDs are
	returned when isoc ring is stopped") in v6.11, the driver didn't skip
	missed isochronous TDs when handling Stoppend and Stopped - Length
	Invalid events. Instead, it erroneously cleared the skip flag, which
	would cause the ring to get stuck, as future events won't match the
	missed TD which is never removed from the queue until it's cancelled.

	This buggy logic seems to have been in place substantially unchanged
	since the 3.x series over 10 years ago, which probably speaks first
	and foremost about relative rarity of this case in normal usage, but
	by the spec I see no reason why it shouldn't be possible.

	After d56b0b2ab142, TDs are immediately skipped when handling those
	Stopped events. This poses a potential problem in case of Stopped -
	Length Invalid, which occurs either on completed TDs (likely already
	given back) or Link and No-Op TRBs. Such event won't be recognized
	as matching any TD (unless it's the rare Link TRB inside a TD) and
	will result in skipping all pending TDs, giving them back possibly
	before they are done, risking isoc data loss and maybe UAF by HW.

	As a compromise, don't skip and don't clear the skip flag on this
	kind of event. Then the next event will skip missed TDs. A downside
	of not handling Stopped - Length Invalid on a Link inside a TD is
	that if the TD is cancelled, its actual length will not be updated
	to account for TRBs (silently) completed before the TD was stopped.

	I had no luck producing this sequence of completion events so there
	is no compelling demonstration of any resulting disaster. It may be
	a very rare, obscure condition. The sole motivation for this patch
	is that if such unlikely event does occur, I'd rather risk reporting
	a cancelled partially done isoc frame as empty than gamble with UAF.

	This will be fixed more properly by looking at Stopped event's TRB
	pointer when making skipping decisions, but such rework is unlikely
	to be backported to v6.12, which will stay around for a few years.

	The Linux kernel CVE team has assigned CVE-2025-22023 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.11 with commit d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 and fixed in 6.12.22 with commit 6af20ac254cbd0e1178a3542767c9308e209eee5
	Issue introduced in 6.11 with commit d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 and fixed in 6.13.10 with commit 49cf6f5293aeb706dd672608478336a003f37df6
	Issue introduced in 6.11 with commit d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 and fixed in 6.14.1 with commit de9e78167f760a699806793d7c987239e4f6c8c3
	Issue introduced in 6.11 with commit d56b0b2ab142940b06eac56dcb3ab1ab88df38a2 and fixed in 6.15 with commit 58d0a3fab5f4fdc112c16a4c6d382f62097afd1c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22023
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/host/xhci-ring.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6af20ac254cbd0e1178a3542767c9308e209eee5
	https://git.kernel.org/stable/c/49cf6f5293aeb706dd672608478336a003f37df6
	https://git.kernel.org/stable/c/de9e78167f760a699806793d7c987239e4f6c8c3
	https://git.kernel.org/stable/c/58d0a3fab5f4fdc112c16a4c6d382f62097afd1c