lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025040131-CVE-2025-21916-28b9@gregkh>
Date: Tue,  1 Apr 2025 16:39:40 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-21916: usb: atm: cxacru: fix a flaw in existing endpoint checks

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

usb: atm: cxacru: fix a flaw in existing endpoint checks

Syzbot once again identified a flaw in usb endpoint checking, see [1].
This time the issue stems from a commit authored by me (2eabb655a968
("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")).

While using usb_find_common_endpoints() may usually be enough to
discard devices with wrong endpoints, in this case one needs more
than just finding and identifying the sufficient number of endpoints
of correct types - one needs to check the endpoint's address as well.

Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind,
switch the endpoint verification approach to usb_check_XXX_endpoints()
instead to fix incomplete ep testing.

[1] Syzbot report:
usb 5-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
...
RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
...
Call Trace:
 <TASK>
 cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649
 cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline]
 cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223
 usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058
 cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377
 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396
 really_probe+0x2b9/0xad0 drivers/base/dd.c:658
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
 driver_probe_device+0x50/0x430 drivers/base/dd.c:830
...

The Linux kernel CVE team has assigned CVE-2025-21916 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4.279 with commit 23926d316d2836315cb113569f91393266eb5b47 and fixed in 5.4.291 with commit dcd592ab9dd8a2bfc36e75583b9006db2a77ec24
	Issue introduced in 5.10.221 with commit 75ddbf776dd04a09fb9e5267ead5d0c989f84506 and fixed in 5.10.235 with commit 319529e0356bd904528c64647725a2272d297c83
	Issue introduced in 5.15.162 with commit 1aac4be1aaa5177506219f01dce5e29194e5e95a and fixed in 5.15.179 with commit bf4409f84023b52b5e9b36c0a071a121eee42138
	Issue introduced in 6.1.97 with commit 5584c776a1af7807ca815ee6265f2c1429fc5727 and fixed in 6.1.131 with commit 197e78076c5ecd895f109158c4ea2954b9919af6
	Issue introduced in 6.6.37 with commit f536f09eb45e4de8d1b9accee9d992aa1846f1d4 and fixed in 6.6.83 with commit a0475a885d69849b1ade38add6d64338dfa83a8f
	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.12.19 with commit cfc295f7cccf66cbd5123416bcf1bee2e1bd37de
	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.13.7 with commit 903b80c21458bb1e34c3a78c5fdc553821e357f8
	Issue introduced in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 and fixed in 6.14 with commit c90aad369899a607cfbc002bebeafd51e31900cd
	Issue introduced in 4.19.317 with commit 5159a81924311c1ec786ad9fdef784ead8676a6a
	Issue introduced in 6.9.8 with commit ac9007520e392541a29daebaae8b9109007bc781

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21916
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/usb/atm/cxacru.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/dcd592ab9dd8a2bfc36e75583b9006db2a77ec24
	https://git.kernel.org/stable/c/319529e0356bd904528c64647725a2272d297c83
	https://git.kernel.org/stable/c/bf4409f84023b52b5e9b36c0a071a121eee42138
	https://git.kernel.org/stable/c/197e78076c5ecd895f109158c4ea2954b9919af6
	https://git.kernel.org/stable/c/a0475a885d69849b1ade38add6d64338dfa83a8f
	https://git.kernel.org/stable/c/cfc295f7cccf66cbd5123416bcf1bee2e1bd37de
	https://git.kernel.org/stable/c/903b80c21458bb1e34c3a78c5fdc553821e357f8
	https://git.kernel.org/stable/c/c90aad369899a607cfbc002bebeafd51e31900cd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ