| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025032711-CVE-2025-21877-de70@gregkh> Date: Thu, 27 Mar 2025 15:58:11 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21877: usbnet: gl620a: fix endpoint checking in genelink_bind() Description =========== In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The Linux kernel CVE team has assigned CVE-2025-21877 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.4.291 with commit 5f2dbabbce04b1ffcd6d8d07564adb94db577536 Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.10.235 with commit 24dd971104057c8828d420a48e0a5af6e6f30d3e Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 5.15.179 with commit 9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.1.130 with commit 67ebc3391c8377738e97a43374054d9718fdb6e4 Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.6.81 with commit a2ee5e55b50a97d13617c8653482c0ad4decff8c Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.12.18 with commit 4e8b8d43373bf837be159366f0192502f97ec7a5 Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.13.6 with commit ded25730c96949cb8b048b29c557e38569124943 Issue introduced in 2.6.14 with commit 47ee3051c856cc2aa95d35d577a8cb37279d540f and fixed in 6.14 with commit 1cf9631d836b289bd5490776551961c883ae8a4f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21877 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/usb/gl620a.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536 https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4 https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5 https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943 https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f
Powered by blists - more mailing lists