CVE-2024-26715 usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend

2024-04-0314:55:16

Linux

www.cve.org

linux kernel

vulnerability

usb

dwc3

gadget

null pointer

dereference

suspend

plug-out

plug-in

call stack

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend

In current scenario if Plug-out and Plug-In performed continuously
there could be a chance while checking for dwc->gadget_driver in
dwc3_gadget_suspend, a NULL pointer dereference may occur.

Call Stack:

CPU1:                           CPU2:
gadget_unbind_driver            dwc3_suspend_common
dwc3_gadget_stop                dwc3_gadget_suspend
                                    dwc3_disconnect_gadget

CPU1 basically clears the variable and CPU2 checks the variable.
Consider CPU1 is running and right before gadget_driver is cleared
and in parallel CPU2 executes dwc3_gadget_suspend where it finds
dwc->gadget_driver which is not NULL and resumes execution and then
CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where
it checks dwc->gadget_driver is already NULL because of which the
NULL pointer deference occur.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/usb/dwc3/gadget.c"
    ],
    "versions": [
      {
        "version": "9772b47a4c29",
        "lessThan": "88936ceab6b4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "9772b47a4c29",
        "lessThan": "57e2e42ccd3c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "9772b47a4c29",
        "lessThan": "c7ebd8149ee5",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "9772b47a4c29",
        "lessThan": "36695d5eeeef",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "9772b47a4c29",
        "lessThan": "61a348857e86",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/usb/dwc3/gadget.c"
    ],
    "versions": [
      {
        "version": "4.6",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.6",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.149",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.79",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.18",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7.6",
        "lessThanOrEqual": "6.7.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]