| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022650-CVE-2022-49398-9274@gregkh>
Date: Wed, 26 Feb 2025 03:11:12 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49398: usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback
The list_for_each_entry_safe() macro saves the current item (n) and
the item after (n+1), so that n can be safely removed without
corrupting the list. However, when traversing the list and removing
items using gadget giveback, the DWC3 lock is briefly released,
allowing other routines to execute. There is a situation where, while
items are being removed from the cancelled_list using
dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable
routine is running in parallel (due to UDC unbind). As the cleanup
routine removes n, and the pullup disable removes n+1, once the
cleanup retakes the DWC3 lock, it references a request who was already
removed/handled. With list debug enabled, this leads to a panic.
Ensure all instances of the macro are replaced where gadget giveback
is used.
Example call stack:
Thread#1:
__dwc3_gadget_ep_set_halt() - CLEAR HALT
-> dwc3_gadget_ep_cleanup_cancelled_requests()
->list_for_each_entry_safe()
->dwc3_gadget_giveback(n)
->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]
->spin_unlock
->Thread#2 executes
...
->dwc3_gadget_giveback(n+1)
->Already removed!
Thread#2:
dwc3_gadget_pullup()
->waiting for dwc3 spin_lock
...
->Thread#1 released lock
->dwc3_stop_active_transfers()
->dwc3_remove_requests()
->fetches n+1 item from cancelled_list (n removed by Thread#1)
->dwc3_gadget_giveback()
->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]
->spin_unlock
The Linux kernel CVE team has assigned CVE-2022-49398 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.0 with commit d4f1afe5e896c18ae01099a85dab5e1a198bd2a8 and fixed in 5.15.47 with commit 1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a
Issue introduced in 5.0 with commit d4f1afe5e896c18ae01099a85dab5e1a198bd2a8 and fixed in 5.17.15 with commit 2424307cdf421ac72075a1384eae4e4199ab6457
Issue introduced in 5.0 with commit d4f1afe5e896c18ae01099a85dab5e1a198bd2a8 and fixed in 5.18.4 with commit 26a7e6832afe9d9a991cfd9015177f083cf959cc
Issue introduced in 5.0 with commit d4f1afe5e896c18ae01099a85dab5e1a198bd2a8 and fixed in 5.19 with commit bf594d1d0c1d7b895954018043536ffd327844f9
Issue introduced in 4.19.57 with commit d7ff2e3ff0e09d57b43014fe26b13bb3c9677254
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49398
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/dwc3/gadget.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a
https://git.kernel.org/stable/c/2424307cdf421ac72075a1384eae4e4199ab6457
https://git.kernel.org/stable/c/26a7e6832afe9d9a991cfd9015177f083cf959cc
https://git.kernel.org/stable/c/bf594d1d0c1d7b895954018043536ffd327844f9
Powered by blists - more mailing lists