| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123056-CVE-2023-54256-8de6@gregkh>
Date: Tue, 30 Dec 2025 13:20:22 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-54256: usb: dwc3: don't reset device side if dwc3 was configured as host-only
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: don't reset device side if dwc3 was configured as host-only
Commit c4a5153e87fd ("usb: dwc3: core: Power-off core/PHYs on
system_suspend in host mode") replaces check for HOST only dr_mode with
current_dr_role. But during booting, the current_dr_role isn't
initialized, thus the device side reset is always issued even if dwc3
was configured as host-only. What's more, on some platforms with host
only dwc3, aways issuing device side reset by accessing device register
block can cause kernel panic.
The Linux kernel CVE team has assigned CVE-2023-54256 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.16 with commit c4a5153e87fdf6805f63ff57556260e2554155a5 and fixed in 4.19.291 with commit b4e909a46919a922da3e2f7983465370f40bdda4
Issue introduced in 4.16 with commit c4a5153e87fdf6805f63ff57556260e2554155a5 and fixed in 5.4.253 with commit 640cb5f5e4b41fe050519e108d7505a5fd2124c9
Issue introduced in 4.16 with commit c4a5153e87fdf6805f63ff57556260e2554155a5 and fixed in 5.10.190 with commit 96c433aff5fd427fde29aba18dbec3df60e8c538
Issue introduced in 4.16 with commit c4a5153e87fdf6805f63ff57556260e2554155a5 and fixed in 5.15.124 with commit 6366b1178545e0a29f69845938153aa3c7aa603b
Issue introduced in 4.16 with commit c4a5153e87fdf6805f63ff57556260e2554155a5 and fixed in 6.1.43 with commit c1fad1695befef3c3ae5f185ed0f8f394b9962ae
Issue introduced in 4.16 with commit c4a5153e87fdf6805f63ff57556260e2554155a5 and fixed in 6.4.8 with commit 317d6e4c12b46bde61248ea4ab5e19f68cbd1c57
Issue introduced in 4.16 with commit c4a5153e87fdf6805f63ff57556260e2554155a5 and fixed in 6.5 with commit e835c0a4e23c38531dcee5ef77e8d1cf462658c7
Issue introduced in 4.15.12 with commit b9fac2b8326d1533c52fe1f32fde5050b7548666
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-54256
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/dwc3/core.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/b4e909a46919a922da3e2f7983465370f40bdda4
https://git.kernel.org/stable/c/640cb5f5e4b41fe050519e108d7505a5fd2124c9
https://git.kernel.org/stable/c/96c433aff5fd427fde29aba18dbec3df60e8c538
https://git.kernel.org/stable/c/6366b1178545e0a29f69845938153aa3c7aa603b
https://git.kernel.org/stable/c/c1fad1695befef3c3ae5f185ed0f8f394b9962ae
https://git.kernel.org/stable/c/317d6e4c12b46bde61248ea4ab5e19f68cbd1c57
https://git.kernel.org/stable/c/e835c0a4e23c38531dcee5ef77e8d1cf462658c7
Powered by blists - more mailing lists