| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025103016-CVE-2025-40094-113d@gregkh> Date: Thu, 30 Oct 2025 10:48:21 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40094: usb: gadget: f_acm: Refactor bind path to use __free() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20 The Linux kernel CVE team has assigned CVE-2025-40094 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.27 with commit 1f1ba11b64947051fc32aa15fcccef6463b433f7 and fixed in 5.15.196 with commit c5d116862dd3ed162d079738a5ebddf9fceea850 Issue introduced in 2.6.27 with commit 1f1ba11b64947051fc32aa15fcccef6463b433f7 and fixed in 6.1.158 with commit 2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175 Issue introduced in 2.6.27 with commit 1f1ba11b64947051fc32aa15fcccef6463b433f7 and fixed in 6.6.114 with commit e348d18fb0124b662cfefb3001733b49da428215 Issue introduced in 2.6.27 with commit 1f1ba11b64947051fc32aa15fcccef6463b433f7 and fixed in 6.12.55 with commit 201a66d8e6630762e760e1d78f1d149da1691e7b Issue introduced in 2.6.27 with commit 1f1ba11b64947051fc32aa15fcccef6463b433f7 and fixed in 6.17.5 with commit c4301e4dd6b32faccb744f1c2320e64235b68d3b Issue introduced in 2.6.27 with commit 1f1ba11b64947051fc32aa15fcccef6463b433f7 and fixed in 6.18-rc1 with commit 47b2116e54b4a854600341487e8b55249e926324 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40094 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/gadget/function/f_acm.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/c5d116862dd3ed162d079738a5ebddf9fceea850 https://git.kernel.org/stable/c/2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175 https://git.kernel.org/stable/c/e348d18fb0124b662cfefb3001733b49da428215 https://git.kernel.org/stable/c/201a66d8e6630762e760e1d78f1d149da1691e7b https://git.kernel.org/stable/c/c4301e4dd6b32faccb744f1c2320e64235b68d3b https://git.kernel.org/stable/c/47b2116e54b4a854600341487e8b55249e926324
Powered by blists - more mailing lists