CVE-2023-53580
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: Gadget: core: Help prevent panic during UVC unconfigure
Avichal Rakesh reported a kernel panic that occurred when the UVC gadget driver was removed from a gadget's configuration. The panic involves a somewhat complicated interaction between the kernel driver and a userspace component (as described in the Link tag below), but the analysis did make one thing clear: The Gadget core should accomodate gadget drivers calling usb_gadget_deactivate() as part of their unbind procedure.
Currently this doesn't work. gadget_unbind_driver() calls driver->unbind() while holding the udc->connect_lock mutex, and usb_gadget_deactivate() attempts to acquire that mutex, which will result in a deadlock.
The simple fix is for gadget_unbind_driver() to release the mutex when invoking the ->unbind() callback. There is no particular reason for it to be holding the mutex at that time, and the mutex isn't held while the ->bind() callback is invoked. So we'll drop the mutex before performing the unbind callback and reacquire it afterward.
We'll also add a couple of comments to usb_gadget_activate() and usb_gadget_deactivate(). Because they run in process context they must not be called from a gadget driver's ->disconnect() callback, which (according to the kerneldoc for struct usb_gadget_driver in include/linux/usb/gadget.h) may run in interrupt context. This may help prevent similar bugs from arising in the future.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d8195536ce2624e2947d9f56b1a61e7a27874bd3 < bed19d95fcb9c98dfaa9585922b39a2dfba7898d | affected |
| Linux | Linux | 286d9975a838d0a54da049765fa1d1fb96b89682 < 8c1edc00db65f6d4408b3d1cd845e8da3b9e0ca4 | affected |
| Linux | Linux | 286d9975a838d0a54da049765fa1d1fb96b89682 < 65dadb2beeb7360232b09ebc4585b54475dfee06 | affected |
| Linux | Linux | 85102a45c7390caf124a3a5796574446f1e037b9 | affected |
| Linux | Linux | 6.1.35 < 6.1.46 | affected |
| Linux | Linux | 6.3.9 < 6.4 | affected |
| Linux | Linux | 6.4 | affected |
| Linux | Linux | 0 < 6.4 | unaffected |
| Linux | Linux | 6.1.46 <= 6.1.* | unaffected |
| Linux | Linux | 6.4.11 <= 6.4.* | unaffected |
| Linux | Linux | 6.5 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/bed19d95fcb9c98dfaa9585922b39a2dfba7898d
- https://git.kernel.org/stable/c/8c1edc00db65f6d4408b3d1cd845e8da3b9e0ca4
- https://git.kernel.org/stable/c/65dadb2beeb7360232b09ebc4585b54475dfee06
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.