| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120822-CVE-2025-40314-1dcb@gregkh>
Date: Mon, 8 Dec 2025 09:47:38 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40314: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget
structure (pdev->gadget) was freed before its endpoints.
The endpoints are linked via the ep_list in the gadget structure.
Freeing the gadget first leaves dangling pointers in the endpoint list.
When the endpoints are subsequently freed, this results in a use-after-free.
Fix:
By separating the usb_del_gadget_udc() operation into distinct "del" and
"put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the
final release of the gadget structure with usb_put_gadget().
A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure
only after freeing endpoints").
The Linux kernel CVE team has assigned CVE-2025-40314 to this issue.
Affected and fixed versions
===========================
Fixed in 5.15.197 with commit 0cf9a50af91fbdac3849f8d950e883a3eaa3ecea
Fixed in 6.1.159 with commit 37158ce6ba964b62d1e3eebd11f03c6900a52dd1
Fixed in 6.6.117 with commit ea37884097a0931abb8e11e40eacfb25e9fdb5e9
Fixed in 6.12.58 with commit 9c52f01429c377a2d32cafc977465f37b5384f77
Fixed in 6.17.8 with commit fdf573c517627a96f5040f988e9b21267806be5c
Fixed in 6.18 with commit 87c5ff5615dc0a37167e8faf3adeeddc6f1344a3
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-40314
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/cdns3/cdnsp-gadget.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/0cf9a50af91fbdac3849f8d950e883a3eaa3ecea
https://git.kernel.org/stable/c/37158ce6ba964b62d1e3eebd11f03c6900a52dd1
https://git.kernel.org/stable/c/ea37884097a0931abb8e11e40eacfb25e9fdb5e9
https://git.kernel.org/stable/c/9c52f01429c377a2d32cafc977465f37b5384f77
https://git.kernel.org/stable/c/fdf573c517627a96f5040f988e9b21267806be5c
https://git.kernel.org/stable/c/87c5ff5615dc0a37167e8faf3adeeddc6f1344a3
Powered by blists - more mailing lists