CVE-2023-52855
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without
holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue():
spin_lock_irqsave(&hsotg->lock, flags);
...
if (!urb->hcpriv) {
dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##
");
goto out;
}
rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv
...
out:
spin_unlock_irqrestore(&hsotg->lock, flags);
When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are
concurrently executed, the NULL check of "urb->hcpriv" can be executed
before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used
in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL
pointer dereference.
This possible bug is found by an experimental static analysis tool
developed by myself. This tool analyzes the locking APIs to extract
function pairs that can be concurrently executed, and then analyzes the
instructions in the paired functions to identify possible concurrency
bugs including data races and atomicity violations. The above possible
bug is reported, when my tool analyzes the source code of Linux 6.5.
To fix this possible bug, "urb->hcpriv = NULL" should be executed with
holding the lock "hsotg->lock". After using this patch, my tool never
reports the possible bug, with the kernelconfiguration allyesconfig for
x86_64. Because I have no associated hardware, I cannot test the patch
in runtime testing, and just verify it according to the code logic.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc2: corrige posible desreferencia de puntero NULL causada por concurrencia de controladores. En _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" se ejecuta sin mantener presionado el bloqueo "hsotg->lock" . En _dwc2_hcd_urb_dequeue(): spin_lock_irqsave(&hsotg->lock, flags); ... if (!urb->hcpriv) { dev_dbg(hsotg->dev, "## urb->hcpriv es NULL ##
"); salir; } rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Usa urb->hcpriv ... out: spin_unlock_irqrestore(&hsotg->lock, flags); Cuando _dwc2_hcd_urb_enqueue() y _dwc2_hcd_urb_dequeue() se ejecutan simultáneamente, la verificación NULL de "urb->hcpriv" se puede ejecutar antes de "urb->hcpriv = NULL". Después de que urb->hcpriv sea NULL, se puede usar en la llamada de función a dwc2_hcd_urb_dequeue(), lo que puede provocar una desreferencia del puntero NULL. Este posible error se encuentra mediante una herramienta experimental de análisis estático desarrollada por mí. Esta herramienta analiza las API de bloqueo para extraer pares de funciones que se pueden ejecutar simultáneamente y luego analiza las instrucciones en las funciones emparejadas para identificar posibles errores de concurrencia, incluidas ejecucións de datos y violaciones de atomicidad. El posible error anterior se informa cuando mi herramienta analiza el código fuente de Linux 6.5. Para corregir este posible error, se debe ejecutar "urb->hcpriv = NULL" manteniendo presionado el bloqueo "hsotg->lock". Después de usar este parche, mi herramienta nunca informa el posible error, con la configuración del kernel allyesconfig para x86_64. Como no tengo hardware asociado, no puedo probar el parche en tiempo de ejecución y simplemente verificarlo de acuerdo con la lógica del código.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-21 CVE Reserved
- 2024-05-21 CVE Published
- 2024-05-22 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-476: NULL Pointer Dereference
CAPEC
References (10)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/33ad261aa62be02f0cedeb4d5735cc726de84a3f | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 4.14.330 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.14.330" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 4.19.299 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.19.299" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 5.4.261 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.4.261" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 5.10.201 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.10.201" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 5.15.139 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.15.139" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 6.1.63 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.1.63" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 6.5.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.5.12" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 6.6.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.6.2" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 6.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.7" | en |
Affected
|