CVE-2023-52855

usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency

In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without
holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue():

spin_lock_irqsave(&hsotg->lock, flags);
...
if (!urb->hcpriv) {
dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##
");
goto out;
}
rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv
...
out:
spin_unlock_irqrestore(&hsotg->lock, flags);

When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are
concurrently executed, the NULL check of "urb->hcpriv" can be executed
before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used
in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL
pointer dereference.

This possible bug is found by an experimental static analysis tool
developed by myself. This tool analyzes the locking APIs to extract
function pairs that can be concurrently executed, and then analyzes the
instructions in the paired functions to identify possible concurrency
bugs including data races and atomicity violations. The above possible
bug is reported, when my tool analyzes the source code of Linux 6.5.

To fix this possible bug, "urb->hcpriv = NULL" should be executed with
holding the lock "hsotg->lock". After using this patch, my tool never
reports the possible bug, with the kernelconfiguration allyesconfig for
x86_64. Because I have no associated hardware, I cannot test the patch
in runtime testing, and just verify it according to the code logic.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc2: corrige posible desreferencia de puntero NULL causada por concurrencia de controladores. En _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" se ejecuta sin mantener presionado el bloqueo "hsotg->lock" . En _dwc2_hcd_urb_dequeue(): spin_lock_irqsave(&hsotg->lock, flags); ... if (!urb->hcpriv) { dev_dbg(hsotg->dev, "## urb->hcpriv es NULL ##
"); salir; } rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Usa urb->hcpriv ... out: spin_unlock_irqrestore(&hsotg->lock, flags); Cuando _dwc2_hcd_urb_enqueue() y _dwc2_hcd_urb_dequeue() se ejecutan simultáneamente, la verificación NULL de "urb->hcpriv" se puede ejecutar antes de "urb->hcpriv = NULL". Después de que urb->hcpriv sea NULL, se puede usar en la llamada de función a dwc2_hcd_urb_dequeue(), lo que puede provocar una desreferencia del puntero NULL. Este posible error se encuentra mediante una herramienta experimental de análisis estático desarrollada por mí. Esta herramienta analiza las API de bloqueo para extraer pares de funciones que se pueden ejecutar simultáneamente y luego analiza las instrucciones en las funciones emparejadas para identificar posibles errores de concurrencia, incluidas ejecucións de datos y violaciones de atomicidad. El posible error anterior se informa cuando mi herramienta analiza el código fuente de Linux 6.5. Para corregir este posible error, se debe ejecutar "urb->hcpriv = NULL" manteniendo presionado el bloqueo "hsotg->lock". Después de usar este parche, mi herramienta nunca informa el posible error, con la configuración del kernel allyesconfig para x86_64. Como no tengo hardware asociado, no puedo probar el parche en tiempo de ejecución y simplemente verificarlo de acuerdo con la lógica del código.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/33ad261aa62be02f0cedeb4d5735cc726de84a3f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/14c9ec34e8118fbffd7f5431814d767726323e72	2023-11-20
https://git.kernel.org/stable/c/fed492aa6493a91a77ebd51da6fb939c98d94a0d	2023-11-20
https://git.kernel.org/stable/c/64c47749fc7507ed732e155c958253968c1d275e	2023-11-20
https://git.kernel.org/stable/c/bdb3dd4096302d6b87441fdc528439f171b04be6	2023-11-20
https://git.kernel.org/stable/c/fcaafb574fc88a52dce817f039f7ff2f9da38001	2023-11-20
https://git.kernel.org/stable/c/6b21a22728852d020a6658d39cd7bb7e14b07790	2023-11-20
https://git.kernel.org/stable/c/3e851a77a13ce944d703721793f49ee82622986d	2023-11-20
https://git.kernel.org/stable/c/a7bee9598afb38004841a41dd8fe68c1faff4e90	2023-11-20
https://git.kernel.org/stable/c/ef307bc6ef04e8c1ea843231db58e3afaafa9fa6	2023-10-02

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 4.14.330 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.14.330"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 4.19.299 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.19.299"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 5.4.261 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.4.261"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 5.10.201 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.10.201"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 5.15.139 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 5.15.139"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.1.63 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.1.63"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.5.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.5.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.6.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.6.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.7"		en		Affected