CVE-2023-53693
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix the memory leak in raw_gadget driver
Currently, increasing raw_dev->count happens before invoke the raw_queue_event(), if the raw_queue_event() return error, invoke raw_release() will not trigger the dev_free() to be called.
[ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event [ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12 [ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12 [ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16
BUG: memory leak
[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [<ffffffff8347eb55>] kmalloc include/linux/slab.h:582 [inline] [<ffffffff8347eb55>] kzalloc include/linux/slab.h:703 [inline] [<ffffffff8347eb55>] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline] [<ffffffff8347eb55>] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385 [<ffffffff827d1d09>] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165
[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [<ffffffff8347cd2f>] kmalloc include/linux/slab.h:582 [inline] [<ffffffff8347cd2f>] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460 [<ffffffff8347dfe9>] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250 [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [<ffffffff833ecc6a>] kmalloc include/linux/slab.h:582 [inline] [<ffffffff833ecc6a>] kzalloc include/linux/slab.h:703 [inline] [<ffffffff833ecc6a>] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665 [<ffffffff833e9132>] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196 [<ffffffff8347f13d>] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292
This commit therefore invoke kref_get() under the condition that raw_queue_event() return success.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 < 68e6287ac61dc22513cd39f02b9ac1fef28513e4 | affected |
| Linux | Linux | f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 < 0f7a2b567197798da7bfa2252f4485c0ca6c6266 | affected |
| Linux | Linux | f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 < de77000c1923d7942f9b4f08447c8feeae1c0f33 | affected |
| Linux | Linux | f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 < 9934e5d07c0dc294169a7d52f6309f35cd6d7755 | affected |
| Linux | Linux | f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 < 83e30f2bf86ef7c38fbd476ed81a88522b620628 | affected |
| Linux | Linux | 5.7 | affected |
| Linux | Linux | 0 < 5.7 | unaffected |
| Linux | Linux | 5.10.190 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.124 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.43 <= 6.1.* | unaffected |
| Linux | Linux | 6.4.8 <= 6.4.* | unaffected |
| Linux | Linux | 6.5 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/68e6287ac61dc22513cd39f02b9ac1fef28513e4
- https://git.kernel.org/stable/c/0f7a2b567197798da7bfa2252f4485c0ca6c6266
- https://git.kernel.org/stable/c/de77000c1923d7942f9b4f08447c8feeae1c0f33
- https://git.kernel.org/stable/c/9934e5d07c0dc294169a7d52f6309f35cd6d7755
- https://git.kernel.org/stable/c/83e30f2bf86ef7c38fbd476ed81a88522b620628
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.