lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050817-CVE-2025-37813-8f2b@gregkh> Date: Thu, 8 May 2025 08:39:22 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-37813: usb: xhci: Fix invalid pointer dereference in Etron workaround From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so enqueue can already point at the final link TRB of a segment. And indeed it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right away or load some junk which may look like a link TRB and cause the real link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer and always gives correct result. Something has crashed my machine twice in recent days while playing with an Etron HC, and a control transfer stress test ran for confirmation has just crashed it again. The same test passes with this patch applied. The Linux kernel CVE team has assigned CVE-2025-37813 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6.66 with commit fbc0a0c7718a6cb1dc5e0811a4f88a2b1deedfa1 and fixed in 6.6.89 with commit 142273a49f2c315eabdbdf5a71c15e479b75ca91 Issue introduced in 6.12.2 with commit 9258c9ed32294ce3a4b58c9d92fc49ba030d35c9 and fixed in 6.12.26 with commit bce3055b08e303e28a8751f6073066f5c33a0744 Issue introduced in 6.13 with commit 5e1c67abc9301d05130b7e267c204e7005503b33 and fixed in 6.14.5 with commit 0624e29c595b05e7a0e6d1c368f0a05799928e30 Issue introduced in 6.13 with commit 5e1c67abc9301d05130b7e267c204e7005503b33 and fixed in 6.15-rc4 with commit 1ea050da5562af9b930d17cbbe9632d30f5df43a Issue introduced in 6.11.11 with commit 4725344ca645a98a9d8e45e25b01a2244de5b8aa Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-37813 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/host/xhci-ring.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/142273a49f2c315eabdbdf5a71c15e479b75ca91 https://git.kernel.org/stable/c/bce3055b08e303e28a8751f6073066f5c33a0744 https://git.kernel.org/stable/c/0624e29c595b05e7a0e6d1c368f0a05799928e30 https://git.kernel.org/stable/c/1ea050da5562af9b930d17cbbe9632d30f5df43a
Powered by blists - more mailing lists