| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025032701-CVE-2022-49755-dfb6@gregkh> Date: Thu, 27 Mar 2025 17:43:13 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49755: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being freed up from functionfs_unbind. Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex). The Linux kernel CVE team has assigned CVE-2022-49755 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 4.14.305 with commit facf353c9e8d7885b686d9a4b173d4e0af6441d2 Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 4.19.272 with commit e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4 Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.4.231 with commit a8d40942df074f4ebcb9bd3413596d92f323b064 Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.10.166 with commit 6dd9ea05534f323668db94fcc2726c7a84547e78 Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 5.15.91 with commit ae8e136bcaae96163b5821984de1036efc9abb1a Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.1.9 with commit 6aee197b7fbcd61596a78b47d553f2f99111f217 Issue introduced in 2.6.35 with commit ddf8abd2599491cbad959c700b90ba72a5dce8d0 and fixed in 6.2 with commit 6a19da111057f69214b97c62fb0ac59023970850 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49755 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/gadget/function/f_fs.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/facf353c9e8d7885b686d9a4b173d4e0af6441d2 https://git.kernel.org/stable/c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4 https://git.kernel.org/stable/c/a8d40942df074f4ebcb9bd3413596d92f323b064 https://git.kernel.org/stable/c/6dd9ea05534f323668db94fcc2726c7a84547e78 https://git.kernel.org/stable/c/ae8e136bcaae96163b5821984de1036efc9abb1a https://git.kernel.org/stable/c/6aee197b7fbcd61596a78b47d553f2f99111f217 https://git.kernel.org/stable/c/6a19da111057f69214b97c62fb0ac59023970850
Powered by blists - more mailing lists