CVE-2022-49980

Summary

In the Linux kernel, the following vulnerability has been resolved:

USB: gadget: Fix use-after-free Read in usb_udc_uevent()

The syzbot fuzzer found a race between uevent callbacks and gadget driver unregistration that can cause a use-after-free bug:


BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 Read of size 8 at addr ffff888078ce2050 by task udevd/2968

CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 dev_uevent+0x290/0x770 drivers/base/core.c:2424

The bug occurs because usb_udc_uevent() dereferences udc->driver but does so without acquiring the udc_lock mutex, which protects this field. If the gadget driver is unbound from the udc concurrently with uevent processing, the driver structure may be accessed after it has been deallocated.

To prevent the race, we make sure that the routine holds the mutex around the racing accesses.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2ccea03a8f7ec93641791f2760d7cdc6cab6205f < f44b0b95d50fffeca036e1ba36770390e0b519ddaffected
LinuxLinux2ccea03a8f7ec93641791f2760d7cdc6cab6205f < 2191c00855b03aa59c20e698be713d952d51fc18affected
LinuxLinux3.1affected
LinuxLinux0 < 3.1unaffected
LinuxLinux5.19.7 <= 5.19.*unaffected
LinuxLinux6.0 <= *unaffected

Weaknesses

References