CVE-2024-56670

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer

Considering that in some extreme cases, when u_serial driver is accessed by multiple threads, Thread A is executing the open operation and calling the gs_open, Thread B is executing the disconnect operation and calling the gserial_disconnect function,The port->port_usb pointer will be set to NULL.

E.g. Thread A Thread B gs_open() gadget_unbind_driver() gs_start_io() composite_disconnect() gs_start_rx() gserial_disconnect() … … spin_unlock(&port->port_lock) status = usb_ep_queue() spin_lock(&port->port_lock) spin_lock(&port->port_lock) port->port_usb = NULL gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock) Crash

This causes thread A to access a null pointer (port->port_usb is null) when calling the gs_free_requests function, causing a crash.

If port_usb is NULL, the release request will be skipped as it will be done by gserial_disconnect.

So add a null pointer check to gs_start_io before attempting to access the value of the pointer port->port_usb.

Call trace: gs_start_io+0x164/0x25c gs_open+0x108/0x13c tty_open+0x314/0x638 chrdev_open+0x1b8/0x258 do_dentry_open+0x2c4/0x700 vfs_open+0x2c/0x3c path_openat+0xa64/0xc60 do_filp_open+0xb8/0x164 do_sys_openat2+0x84/0xf0 __arm64_sys_openat+0x70/0x9c invoke_syscall+0x58/0x114 el0_svc_common+0x80/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x38/0x68

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc1dca562be8ada614ef193aa246c6f8705bcd6b9 < 4efdfdc32d8d6307f968cd99f1db64468471bab1affected
LinuxLinuxc1dca562be8ada614ef193aa246c6f8705bcd6b9 < 28b3c03a6790de1f6f2683919ad657840f0f0f58affected
LinuxLinuxc1dca562be8ada614ef193aa246c6f8705bcd6b9 < 1247e1df086aa6c17ab53cd1bedce70dd7132765affected
LinuxLinuxc1dca562be8ada614ef193aa246c6f8705bcd6b9 < c83213b6649d22656b3a4e92544ceeea8a2c6c07affected
LinuxLinuxc1dca562be8ada614ef193aa246c6f8705bcd6b9 < 8ca07a3d18f39b1669927ef536e485787e856df6affected
LinuxLinuxc1dca562be8ada614ef193aa246c6f8705bcd6b9 < dd6b0ca6025f64ccb465a6a3460c5b0307ed9c44affected
LinuxLinuxc1dca562be8ada614ef193aa246c6f8705bcd6b9 < 4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2baffected
LinuxLinux2.6.27affected
LinuxLinux0 < 2.6.27unaffected
LinuxLinux5.4.288 <= 5.4.*unaffected
LinuxLinux5.10.232 <= 5.10.*unaffected
LinuxLinux5.15.175 <= 5.15.*unaffected
LinuxLinux6.1.121 <= 6.1.*unaffected
LinuxLinux6.6.67 <= 6.6.*unaffected
LinuxLinux6.12.6 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References