| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022634-CVE-2022-49299-6304@gregkh>
Date: Wed, 26 Feb 2025 03:09:33 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49299: usb: dwc2: gadget: don't reset gadget's driver->bus
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc2: gadget: don't reset gadget's driver->bus
UDC driver should not touch gadget's driver internals, especially it
should not reset driver->bus. This wasn't harmful so far, but since
commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget
subsystem got it's own bus and messing with ->bus triggers the
following NULL pointer dereference:
dwc2 12480000.hsotg: bound driver g_ether
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000000
[00000000] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: ...
CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862
Hardware name: Samsung Exynos (Flattened Device Tree)
PC is at module_add_driver+0x44/0xe8
LR is at sysfs_do_create_link_sd+0x84/0xe0
...
Process modprobe (pid: 620, stack limit = 0x(ptrval))
...
module_add_driver from bus_add_driver+0xf4/0x1e4
bus_add_driver from driver_register+0x78/0x10c
driver_register from usb_gadget_register_driver_owner+0x40/0xb4
usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0
do_one_initcall from do_init_module+0x44/0x1c8
do_init_module from load_module+0x19b8/0x1b9c
load_module from sys_finit_module+0xdc/0xfc
sys_finit_module from ret_fast_syscall+0x0/0x54
Exception stack(0xf1771fa8 to 0xf1771ff0)
...
dwc2 12480000.hsotg: new device is high-speed
---[ end trace 0000000000000000 ]---
Fix this by removing driver->bus entry reset.
The Linux kernel CVE team has assigned CVE-2022-49299 to this issue.
Affected and fixed versions
===========================
Fixed in 4.9.318 with commit 5127c0f365265bb69cd776ad6e4b872c309f3fa8
Fixed in 4.14.283 with commit efb15ff4a77fe053c941281775fefa91c87770e0
Fixed in 4.19.247 with commit bee8f9808a7e82addfc73a0973b16a8bb684205b
Fixed in 5.4.198 with commit d232ca0bbc7d03144bad0ffd1792c3352bfd03fa
Fixed in 5.10.122 with commit 5b0c0298f7c3b57417f1729ec4071f76864b72dd
Fixed in 5.15.47 with commit 547ebdc200b862dff761ff4890f66d8217c33316
Fixed in 5.17.15 with commit 172cfc167c8ee6238f24f9c16efd598602af643c
Fixed in 5.18.4 with commit d2159feb9d28ce496d77df98313ab454646372ac
Fixed in 5.19 with commit 3120aac6d0ecd9accf56894aeac0e265f74d3d5a
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49299
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/dwc2/gadget.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/5127c0f365265bb69cd776ad6e4b872c309f3fa8
https://git.kernel.org/stable/c/efb15ff4a77fe053c941281775fefa91c87770e0
https://git.kernel.org/stable/c/bee8f9808a7e82addfc73a0973b16a8bb684205b
https://git.kernel.org/stable/c/d232ca0bbc7d03144bad0ffd1792c3352bfd03fa
https://git.kernel.org/stable/c/5b0c0298f7c3b57417f1729ec4071f76864b72dd
https://git.kernel.org/stable/c/547ebdc200b862dff761ff4890f66d8217c33316
https://git.kernel.org/stable/c/172cfc167c8ee6238f24f9c16efd598602af643c
https://git.kernel.org/stable/c/d2159feb9d28ce496d77df98313ab454646372ac
https://git.kernel.org/stable/c/3120aac6d0ecd9accf56894aeac0e265f74d3d5a
Powered by blists - more mailing lists