| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024122836-CVE-2024-56698-6b0b@gregkh> Date: Sat, 28 Dec 2024 10:45:50 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-56698: usb: dwc3: gadget: Fix looping of queued SG entries Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Fix looping of queued SG entries The dwc3_request->num_queued_sgs is decremented on completion. If a partially completed request is handled, then the dwc3_request->num_queued_sgs no longer reflects the total number of num_queued_sgs (it would be cleared). Correctly check the number of request SG entries remained to be prepare and queued. Failure to do this may cause null pointer dereference when accessing non-existent SG entry. The Linux kernel CVE team has assigned CVE-2024-56698 to this issue. Affected and fixed versions =========================== Issue introduced in 4.18 with commit c96e6725db9d6a04ac1bee881e3034b636d9f71c and fixed in 5.10.231 with commit 8ceb21d76426bbe7072cc3e43281e70c0d664cc7 Issue introduced in 4.18 with commit c96e6725db9d6a04ac1bee881e3034b636d9f71c and fixed in 5.15.174 with commit 0247da93bf62d33304b7bf97850ebf2a86e06d28 Issue introduced in 4.18 with commit c96e6725db9d6a04ac1bee881e3034b636d9f71c and fixed in 6.1.120 with commit c9e72352a10ae89a430449f7bfeb043e75c255d9 Issue introduced in 4.18 with commit c96e6725db9d6a04ac1bee881e3034b636d9f71c and fixed in 6.6.64 with commit 1534f6f69393aac773465d80d31801b554352627 Issue introduced in 4.18 with commit c96e6725db9d6a04ac1bee881e3034b636d9f71c and fixed in 6.11.11 with commit b7c3d0b59213ebeedff63d128728ce0b3d7a51ec Issue introduced in 4.18 with commit c96e6725db9d6a04ac1bee881e3034b636d9f71c and fixed in 6.12.2 with commit 70777a23a54e359cfdfafc625a57cd56434f3859 Issue introduced in 4.18 with commit c96e6725db9d6a04ac1bee881e3034b636d9f71c and fixed in 6.13-rc1 with commit b7fc65f5141c24785dc8c19249ca4efcf71b3524 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-56698 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/dwc3/gadget.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/8ceb21d76426bbe7072cc3e43281e70c0d664cc7 https://git.kernel.org/stable/c/0247da93bf62d33304b7bf97850ebf2a86e06d28 https://git.kernel.org/stable/c/c9e72352a10ae89a430449f7bfeb043e75c255d9 https://git.kernel.org/stable/c/1534f6f69393aac773465d80d31801b554352627 https://git.kernel.org/stable/c/b7c3d0b59213ebeedff63d128728ce0b3d7a51ec https://git.kernel.org/stable/c/70777a23a54e359cfdfafc625a57cd56434f3859 https://git.kernel.org/stable/c/b7fc65f5141c24785dc8c19249ca4efcf71b3524
Powered by blists - more mailing lists