| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025102207-CVE-2022-50568-f109@gregkh>
Date: Wed, 22 Oct 2025 15:24:16 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50568: usb: gadget: f_hid: fix f_hidg lifetime vs cdev
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: fix f_hidg lifetime vs cdev
The embedded struct cdev does not have its lifetime correctly tied to
the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN
is held open while the gadget is deleted.
This can readily be replicated with libusbgx's example programs (for
conciseness - operating directly via configfs is equivalent):
gadget-hid
exec 3<> /dev/hidg0
gadget-vid-pid-remove
exec 3<&-
Pull the existing device up in to struct f_hidg and make use of the
cdev_device_{add,del}() helpers. This changes the lifetime of the
device object to match struct f_hidg, but note that it is still added
and deleted at the same time.
The Linux kernel CVE team has assigned CVE-2022-50568 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.35 with commit 71adf118946957839a13aa4d1094183e05c6c094 and fixed in 4.19.270 with commit 1cd7f156f6389918f760687fbbf133c86da93162
Issue introduced in 2.6.35 with commit 71adf118946957839a13aa4d1094183e05c6c094 and fixed in 5.4.229 with commit c78c87c4e389b62f8892af7f59857447aa6d9797
Issue introduced in 2.6.35 with commit 71adf118946957839a13aa4d1094183e05c6c094 and fixed in 5.10.163 with commit 1b6a53e447ec3d81623610c8c7ec5082b47dfdce
Issue introduced in 2.6.35 with commit 71adf118946957839a13aa4d1094183e05c6c094 and fixed in 5.15.86 with commit d3136b79705c2e3bba9c76adc5628af0215d798e
Issue introduced in 2.6.35 with commit 71adf118946957839a13aa4d1094183e05c6c094 and fixed in 6.0.16 with commit 9e4b85d815b14bd4db2deea2a54264a23de8b896
Issue introduced in 2.6.35 with commit 71adf118946957839a13aa4d1094183e05c6c094 and fixed in 6.1.2 with commit 9e08b7f5fa00e9d550851352bd0d1ba74ccffef2
Issue introduced in 2.6.35 with commit 71adf118946957839a13aa4d1094183e05c6c094 and fixed in 6.2 with commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-50568
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/gadget/function/f_hid.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/1cd7f156f6389918f760687fbbf133c86da93162
https://git.kernel.org/stable/c/c78c87c4e389b62f8892af7f59857447aa6d9797
https://git.kernel.org/stable/c/1b6a53e447ec3d81623610c8c7ec5082b47dfdce
https://git.kernel.org/stable/c/d3136b79705c2e3bba9c76adc5628af0215d798e
https://git.kernel.org/stable/c/9e4b85d815b14bd4db2deea2a54264a23de8b896
https://git.kernel.org/stable/c/9e08b7f5fa00e9d550851352bd0d1ba74ccffef2
https://git.kernel.org/stable/c/89ff3dfac604614287ad5aad9370c3f984ea3f4b
Powered by blists - more mailing lists