// For flags

CVE-2021-47436

usb: musb: dsps: Fix the probe error path

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

usb: musb: dsps: Fix the probe error path

Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after
initializing musb") has inverted the calls to
dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without
updating correctly the error path. dsps_create_musb_pdev() allocates and
registers a new platform device which must be unregistered and freed
with platform_device_unregister(), and this is missing upon
dsps_setup_optional_vbus_irq() error.

While on the master branch it seems not to trigger any issue, I observed
a kernel crash because of a NULL pointer dereference with a v5.10.70
stable kernel where the patch mentioned above was backported. With this
kernel version, -EPROBE_DEFER is returned the first time
dsps_setup_optional_vbus_irq() is called which triggers the probe to
error out without unregistering the platform device. Unfortunately, on
the Beagle Bone Black Wireless, the platform device still living in the
system is being used by the USB Ethernet gadget driver, which during the
boot phase triggers the crash.

My limited knowledge of the musb world prevents me to revert this commit
which was sent to silence a robot warning which, as far as I understand,
does not make sense. The goal of this patch was to prevent an IRQ to
fire before the platform device being registered. I think this cannot
ever happen due to the fact that enabling the interrupts is done by the
->enable() callback of the platform musb device, and this platform
device must be already registered in order for the core or any other
user to use this callback.

Hence, I decided to fix the error path, which might prevent future
errors on mainline kernels while also fixing older ones.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: musb: dsps: corrige la ruta del error de la sonda. El commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() después de inicializar musb") ha invertido las llamadas a dsps_setup_optional_vbus_irq() y dsps_create_musb_pdev() sin actualizar correctamente la ruta del error. dsps_create_musb_pdev() asigna y registra un nuevo dispositivo de plataforma que debe cancelarse y liberarse con platform_device_unregister(), y esto falta en el error dsps_setup_optional_vbus_irq(). Mientras que en la rama maestra parece no desencadenar ningún problema, observé un bloqueo del kernel debido a una desreferencia del puntero NULL con un kernel estable v5.10.70 donde el parche mencionado anteriormente estaba respaldado. Con esta versión del kernel, se devuelve -EPROBE_DEFER la primera vez que se llama a dsps_setup_optional_vbus_irq(), lo que provoca que la sonda genere un error sin cancelar el registro del dispositivo de plataforma. Desafortunadamente, en el Beagle Bone Black Wireless, el dispositivo de plataforma que aún se encuentra en el sistema está siendo utilizado por el controlador del dispositivo USB Ethernet, lo que durante la fase de arranque provoca el bloqueo. Mi conocimiento limitado del mundo musb me impide revertir este compromiso que fue enviado para silenciar una advertencia de robot que, hasta donde tengo entendido, no tiene sentido. El objetivo de este parche era evitar que se activara una IRQ antes de que se registrara el dispositivo de la plataforma. Creo que esto nunca puede suceder debido al hecho de que habilitar las interrupciones se realiza mediante la devolución de llamada ->enable() del dispositivo musb de la plataforma, y este dispositivo de plataforma ya debe estar registrado para que el núcleo o cualquier otro usuario pueda usar esto. llamar de vuelta. Por lo tanto, decidí corregir la ruta del error, lo que podría evitar futuros errores en los núcleos principales y al mismo tiempo corregir los más antiguos.

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-21 CVE Reserved
  • 2024-05-22 CVE Published
  • 2024-05-22 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.14.247 < 4.14.252
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14.247 < 4.14.252"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.19.207 < 4.19.213
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.207 < 4.19.213"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.4.148 < 5.4.155
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.148 < 5.4.155"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.10.67 < 5.10.75
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.67 < 5.10.75"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.14.6 < 5.14.14
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14.6 < 5.14.14"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
5.13.19
Search vendor "Linux" for product "Linux Kernel" and version "5.13.19"
en
Affected