| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121638-CVE-2025-68287-5647@gregkh> Date: Tue, 16 Dec 2025 16:06:41 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68287: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue. The Linux kernel CVE team has assigned CVE-2025-68287 to this issue. Affected and fixed versions =========================== Issue introduced in 3.2 with commit 72246da40f3719af3bfd104a2365b32537c27d83 and fixed in 5.10.247 with commit 467add9db13219101f14b6cc5477998b4aaa5fe2 Issue introduced in 3.2 with commit 72246da40f3719af3bfd104a2365b32537c27d83 and fixed in 5.15.197 with commit 67192e8cb7f941b5bba91e4bb290683576ce1607 Issue introduced in 3.2 with commit 72246da40f3719af3bfd104a2365b32537c27d83 and fixed in 6.1.159 with commit 47de14d741cc4057046c9e2f33df1f7828254e6c Issue introduced in 3.2 with commit 72246da40f3719af3bfd104a2365b32537c27d83 and fixed in 6.6.119 with commit afc0e34f161ce61ad351303c46eb57bd44b8b090 Issue introduced in 3.2 with commit 72246da40f3719af3bfd104a2365b32537c27d83 and fixed in 6.12.61 with commit 7cfb62888eba292fa35cd9ddbd28ce595f60e139 Issue introduced in 3.2 with commit 72246da40f3719af3bfd104a2365b32537c27d83 and fixed in 6.17.11 with commit fa5eaf701e576880070b60922200557ae4aa54e1 Issue introduced in 3.2 with commit 72246da40f3719af3bfd104a2365b32537c27d83 and fixed in 6.18 with commit e4037689a366743c4233966f0e74bc455820d316 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68287 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/dwc3/ep0.c drivers/usb/dwc3/gadget.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2 https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607 https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090 https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139 https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1 https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316
Powered by blists - more mailing lists