CVE-2021-47436

usb: musb: dsps: Fix the probe error path

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

usb: musb: dsps: Fix the probe error path

Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after
initializing musb") has inverted the calls to
dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without
updating correctly the error path. dsps_create_musb_pdev() allocates and
registers a new platform device which must be unregistered and freed
with platform_device_unregister(), and this is missing upon
dsps_setup_optional_vbus_irq() error.

While on the master branch it seems not to trigger any issue, I observed
a kernel crash because of a NULL pointer dereference with a v5.10.70
stable kernel where the patch mentioned above was backported. With this
kernel version, -EPROBE_DEFER is returned the first time
dsps_setup_optional_vbus_irq() is called which triggers the probe to
error out without unregistering the platform device. Unfortunately, on
the Beagle Bone Black Wireless, the platform device still living in the
system is being used by the USB Ethernet gadget driver, which during the
boot phase triggers the crash.

My limited knowledge of the musb world prevents me to revert this commit
which was sent to silence a robot warning which, as far as I understand,
does not make sense. The goal of this patch was to prevent an IRQ to
fire before the platform device being registered. I think this cannot
ever happen due to the fact that enabling the interrupts is done by the
->enable() callback of the platform musb device, and this platform
device must be already registered in order for the core or any other
user to use this callback.

Hence, I decided to fix the error path, which might prevent future
errors on mainline kernels while also fixing older ones.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: musb: dsps: corrige la ruta del error de la sonda. El commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() después de inicializar musb") ha invertido las llamadas a dsps_setup_optional_vbus_irq() y dsps_create_musb_pdev() sin actualizar correctamente la ruta del error. dsps_create_musb_pdev() asigna y registra un nuevo dispositivo de plataforma que debe cancelarse y liberarse con platform_device_unregister(), y esto falta en el error dsps_setup_optional_vbus_irq(). Mientras que en la rama maestra parece no desencadenar ningún problema, observé un bloqueo del kernel debido a una desreferencia del puntero NULL con un kernel estable v5.10.70 donde el parche mencionado anteriormente estaba respaldado. Con esta versión del kernel, se devuelve -EPROBE_DEFER la primera vez que se llama a dsps_setup_optional_vbus_irq(), lo que provoca que la sonda genere un error sin cancelar el registro del dispositivo de plataforma. Desafortunadamente, en el Beagle Bone Black Wireless, el dispositivo de plataforma que aún se encuentra en el sistema está siendo utilizado por el controlador del dispositivo USB Ethernet, lo que durante la fase de arranque provoca el bloqueo. Mi conocimiento limitado del mundo musb me impide revertir este compromiso que fue enviado para silenciar una advertencia de robot que, hasta donde tengo entendido, no tiene sentido. El objetivo de este parche era evitar que se activara una IRQ antes de que se registrara el dispositivo de la plataforma. Creo que esto nunca puede suceder debido al hecho de que habilitar las interrupciones se realiza mediante la devolución de llamada ->enable() del dispositivo musb de la plataforma, y este dispositivo de plataforma ya debe estar registrado para que el núcleo o cualquier otro usuario pueda usar esto. llamar de vuelta. Por lo tanto, decidí corregir la ruta del error, lo que podría evitar futuros errores en los núcleos principales y al mismo tiempo corregir los más antiguos.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-22 CVE Published
2024-05-22 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/5269937d1483d3159d5b51907346e4f4b13ef079	Vuln. Introduced
https://git.kernel.org/stable/c/ffc825049ed2e8c849d318e987fd5073e0be462f	Vuln. Introduced
https://git.kernel.org/stable/c/9a4a6805294fa7d2653e82972bdaf9e3e1f3d3c9	Vuln. Introduced
https://git.kernel.org/stable/c/8de01a896c1bc14b6b65b8d26013626597a45eda	Vuln. Introduced
https://git.kernel.org/stable/c/72bb3eafcfdd156713a3ea0c9c95d536bd6e6e55	Vuln. Introduced
https://git.kernel.org/stable/c/f5b4df24b4209cc3b9ccc768897415be18807e46	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/5ed60a430fb5f3d93e7fef66264daef466b4d10c	2021-10-20
https://git.kernel.org/stable/c/e923bce31ffefe4f60edfc6b84f62d4a858f3676	2021-10-20
https://git.kernel.org/stable/c/9ab5d539bc975b8dcde86eca1b58d836b657732e	2021-10-20
https://git.kernel.org/stable/c/9d89e287116796bf987cc48f5c8632ef3048f8eb	2021-10-20
https://git.kernel.org/stable/c/ff9249aab39820be11b6975a10d94253b7d426fc	2021-10-20
https://git.kernel.org/stable/c/c2115b2b16421d93d4993f3fe4c520e91d6fe801	2021-10-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14.247 < 4.14.252 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14.247 < 4.14.252"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.207 < 4.19.213 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.207 < 4.19.213"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.148 < 5.4.155 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.148 < 5.4.155"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.67 < 5.10.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.67 < 5.10.75"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14.6 < 5.14.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14.6 < 5.14.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.13.19 Search vendor "Linux" for product "Linux Kernel" and version "5.13.19"		en		Affected