CVE-2021-47269
usb: dwc3: ep0: fix NULL pointer exception
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: ep0: fix NULL pointer exception
There is no validation of the index from dwc3_wIndex_to_dep() and we might
be referring a non-existing ep and trigger a NULL pointer exception. In
certain configurations we might use fewer eps and the index might wrongly
indicate a larger ep index than existing.
By adding this validation from the patch we can actually report a wrong
index back to the caller.
In our usecase we are using a composite device on an older kernel, but
upstream might use this fix also. Unfortunately, I cannot describe the
hardware for others to reproduce the issue as it is a proprietary
implementation.
[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4
[ 82.966891] Mem abort info:
[ 82.969663] ESR = 0x96000006
[ 82.972703] Exception class = DABT (current EL), IL = 32 bits
[ 82.978603] SET = 0, FnV = 0
[ 82.981642] EA = 0, S1PTW = 0
[ 82.984765] Data abort info:
[ 82.987631] ISV = 0, ISS = 0x00000006
[ 82.991449] CM = 0, WnR = 0
[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc
[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000
[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)
[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1
[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)
[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c
[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94
...
[ 83.141788] Call trace:
[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c
[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94
[ 83.181546] ---[ end trace aac6b5267d84c32f ]---
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc3: ep0: corrige excepción de puntero NULL. No hay validación del índice desde dwc3_wIndex_to_dep() y podríamos estar haciendo referencia a un ep inexistente y desencadenar una excepción de puntero NULL. En ciertas configuraciones, podríamos usar menos eps y el índice podría indicar erróneamente un índice ep mayor que el existente. Al agregar esta validación del parche, podemos informar un índice incorrecto a la persona que llama. En nuestro caso de uso, estamos usando un dispositivo compuesto en un kernel más antiguo, pero el nivel superior también podría usar esta solución. Desafortunadamente, no puedo describir el hardware para que otros reproduzcan el problema ya que es una implementación propietaria. [82.958261] No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 00000000000000a4 [82.966891] Información de cancelación de memoria: [82.969663] ESR = 0x96000006 [82.972703] Clase de excepción = DABT (EL actual), IL = 32 bits [ 82.9 78603] CONFIGURAR = 0, FnV = 0 [82.981642] EA = 0, S1PTW = 0 [82.984765] Información de cancelación de datos: [82.987631] ISV = 0, ISS = 0x00000006 [82.991449] CM = 0, WnR = 0 [82.994409] tabla de usuario 4k: páginas, 39 VA de bits, pgdp = 00000000c6210ccc [ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 [ 83.00 9685] Error interno: Oops: 96000006 [#1] SMP PREEMPTO [83.026433] Proceso irq/62-dwc3 (pid : 303, límite de pila = 0x000000003985154c) [83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 No contaminado 4.19.124 #1 [83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) [ 49628] ordenador personal: dwc3_ep0_handle_feature+0x414/0x43c [ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 ... [ 83.141788] Rastreo de llamadas: [ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c [ 83.148 823] dwc3_ep0_interrupt+0x3b4/0xc94 [83.181546] ---[ final de seguimiento aac6b5267d84c32f ]---
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-21 CVE Reserved
- 2024-05-21 CVE Published
- 2024-05-22 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 4.4.273 Search vendor "Linux" for product "Linux Kernel" and version " < 4.4.273" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 4.9.273 Search vendor "Linux" for product "Linux Kernel" and version " < 4.9.273" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 4.14.237 Search vendor "Linux" for product "Linux Kernel" and version " < 4.14.237" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 4.19.195 Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.195" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.4.126 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.126" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.10.44 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.44" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.12.11 Search vendor "Linux" for product "Linux Kernel" and version " < 5.12.11" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " < 5.13" | en |
Affected
| ||||||