| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122406-CVE-2025-68750-7ff1@gregkh>
Date: Wed, 24 Dec 2025 16:51:06 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68750: usb: potential integer overflow in usbg_make_tpg()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: potential integer overflow in usbg_make_tpg()
The variable tpgt in usbg_make_tpg() is defined as unsigned long and is
assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an
integer overflow when tpgt is greater than USHRT_MAX (65535). I
haven't tried to trigger it myself, but it is possible to trigger it
by calling usbg_make_tpg() with a large value for tpgt.
I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the
relevant code accordingly.
This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential
memory corruption").
The Linux kernel CVE team has assigned CVE-2025-68750 to this issue.
Affected and fixed versions
===========================
Fixed in 5.4.296 with commit 0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24
Fixed in 5.10.240 with commit 603a83e5fee38a950bfcfb2f36449311fa00a474
Fixed in 5.15.187 with commit 6f77e344515b5258edb3988188311464209b1c7c
Fixed in 6.1.143 with commit 6722e080b5b39ab7471386c73d0c1b39572f943c
Fixed in 6.6.96 with commit a33f507f36d5881f602dab581ab0f8d22b49762c
Fixed in 6.12.36 with commit 358d5ba08f1609c34a054aed88c431844d09705a
Fixed in 6.15.5 with commit 620a5e1e84a3a7004270703a118d33eeb1c0f368
Fixed in 6.16 with commit 153874010354d050f62f8ae25cbb960c17633dc5
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-68750
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/gadget/function/f_tcm.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24
https://git.kernel.org/stable/c/603a83e5fee38a950bfcfb2f36449311fa00a474
https://git.kernel.org/stable/c/6f77e344515b5258edb3988188311464209b1c7c
https://git.kernel.org/stable/c/6722e080b5b39ab7471386c73d0c1b39572f943c
https://git.kernel.org/stable/c/a33f507f36d5881f602dab581ab0f8d22b49762c
https://git.kernel.org/stable/c/358d5ba08f1609c34a054aed88c431844d09705a
https://git.kernel.org/stable/c/620a5e1e84a3a7004270703a118d33eeb1c0f368
https://git.kernel.org/stable/c/153874010354d050f62f8ae25cbb960c17633dc5
Powered by blists - more mailing lists