| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120822-CVE-2025-40315-38da@gregkh> Date: Mon, 8 Dec 2025 09:47:39 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40315: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues The Linux kernel CVE team has assigned CVE-2025-40315 to this issue. Affected and fixed versions =========================== Fixed in 5.4.302 with commit b00d2572c16e8e59e979960d3383c2ae9cebd195 Fixed in 5.10.247 with commit 1c0dbd240be3f87cac321b14e17979b7e9cb6a8f Fixed in 5.15.197 with commit 9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272 Fixed in 6.1.159 with commit c53e90563bc148e4e0ad09fe130ba2246d426ea6 Fixed in 6.6.117 with commit fc1141a530dfc91f0ee19b7f422a2d24829584bc Fixed in 6.12.58 with commit d62b808d5c68a931ad0849a00a5e3be3dd7e0019 Fixed in 6.17.8 with commit 30880e9df27332403dd638a82c27921134b3630b Fixed in 6.18 with commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40315 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/gadget/function/f_fs.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b00d2572c16e8e59e979960d3383c2ae9cebd195 https://git.kernel.org/stable/c/1c0dbd240be3f87cac321b14e17979b7e9cb6a8f https://git.kernel.org/stable/c/9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272 https://git.kernel.org/stable/c/c53e90563bc148e4e0ad09fe130ba2246d426ea6 https://git.kernel.org/stable/c/fc1141a530dfc91f0ee19b7f422a2d24829584bc https://git.kernel.org/stable/c/d62b808d5c68a931ad0849a00a5e3be3dd7e0019 https://git.kernel.org/stable/c/30880e9df27332403dd638a82c27921134b3630b https://git.kernel.org/stable/c/cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4
Powered by blists - more mailing lists