Ubuntu.comUB:CVE-2021-47220CVE-2021-47220
In the Linux kernel, the following vulnerability has been resolved: usb:
dwc3: core: fix kernel panic when do reboot When do system reboot, it calls
dwc3_shutdown and the whole debugfs for dwc3 has removed first, when the
gadget tries to do deinit, and remove debugfs for its endpoints, it meets
NULL pointer dereference issue when call debugfs_lookup. Fix it by removing
the whole dwc3 debugfs later than dwc3_drd_exit. [ 2924.958838] Unable to
handle kernel NULL pointer dereference at virtual address 0000000000000002
… [ 2925.030994] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=–) [
2925.037005] pc : inode_permission+0x2c/0x198 [ 2925.041281] lr :
lookup_one_len_common+0xb0/0xf8 [ 2925.045903] sp : ffff80001276ba70 [
2925.049218] x29: ffff80001276ba70 x28: ffff0000c01f0000 x27:
0000000000000000 [ 2925.056364] x26: ffff800011791e70 x25: 0000000000000008
x24: dead000000000100 [ 2925.063510] x23: dead000000000122 x22:
0000000000000000 x21: 0000000000000001 [ 2925.070652] x20: ffff8000122c6188
x19: 0000000000000000 x18: 0000000000000000 [ 2925.077797] x17:
0000000000000000 x16: 0000000000000000 x15: 0000000000000004 [ 2925.084943]
x14: ffffffffffffffff x13: 0000000000000000 x12: 0000000000000030 [
2925.092087] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f x9 :
ffff8000102b2420 [ 2925.099232] x8 : 7f7f7f7f7f7f7f7f x7 : feff73746e2f6f64
x6 : 0000000000008080 [ 2925.106378] x5 : 61c8864680b583eb x4 :
209e6ec2d263dbb7 x3 : 000074756f307065 [ 2925.113523] x2 : 0000000000000001
x1 : 0000000000000000 x0 : ffff8000122c6188 [ 2925.120671] Call trace: [
2925.123119] inode_permission+0x2c/0x198 [ 2925.127042]
lookup_one_len_common+0xb0/0xf8 [ 2925.131315]
lookup_one_len_unlocked+0x34/0xb0 [ 2925.135764]
lookup_positive_unlocked+0x14/0x50 [ 2925.140296] debugfs_lookup+0x68/0xa0
[ 2925.143964] dwc3_gadget_free_endpoints+0x84/0xb0 [ 2925.148675]
dwc3_gadget_exit+0x28/0x78 [ 2925.152518] dwc3_drd_exit+0x100/0x1f8 [
2925.156267] dwc3_remove+0x11c/0x120 [ 2925.159851] dwc3_shutdown+0x14/0x20
[ 2925.163432] platform_shutdown+0x28/0x38 [ 2925.167360]
device_shutdown+0x15c/0x378 [ 2925.171291] kernel_restart_prepare+0x3c/0x48
[ 2925.175650] kernel_restart+0x1c/0x68 [ 2925.179316]
__do_sys_reboot+0x218/0x240 [ 2925.183247] __arm64_sys_reboot+0x28/0x30 [
2925.187262] invoke_syscall+0x48/0x100 [ 2925.191017]
el0_svc_common.constprop.0+0x48/0xc8 [ 2925.195726] do_el0_svc+0x28/0x88 [
2925.199045] el0_svc+0x20/0x30 [ 2925.202104] el0_sync_handler+0xa8/0xb0 [
2925.205942] el0_sync+0x148/0x180 [ 2925.209270] Code: a9025bf5 2a0203f5
121f0056 370802b5 (79400660) [ 2925.215372] —[ end trace 124254d8e485a58b
]— [ 2925.220012] Kernel panic - not syncing: Attempted to kill init!
exitcode=0x0000000b [ 2925.227676] Kernel Offset: disabled [ 2925.231164]
CPU features: 0x00001001,20000846 [ 2925.235521] Memory Limit: none [
2925.238580] —[ end Kernel panic - not syncing: Attempted to kill init!
exitcode=0x0000000b ]— (cherry picked from commit
2a042767814bd0edf2619f06fecd374e266ea068)
References
git.kernel.org/linus/4bf584a03eec674975ee9fe36c8583d9d470dab1 (5.13-rc7)
git.kernel.org/stable/c/174c27583b3807ac96228c442735b02622d8d1c3
git.kernel.org/stable/c/4bf584a03eec674975ee9fe36c8583d9d470dab1
git.kernel.org/stable/c/58b5e02c6ca0e2b7c87cd8023ff786ef3c0eef74
git.kernel.org/stable/c/7f9745ab342bcce5efd5d4d2297d0a3dd9db0eac
git.kernel.org/stable/c/fa8c413e6b74ae5d12daf911c73238c5bdacd8e6
git.kernel.org/stable/c/fd7c4bd582494934be15d41aebe0dbe23790605f
git.kernel.org/stable/c/ff4c63f3e8cb7af2ce51cc56b031e08fd23c758b
launchpad.net/bugs/cve/CVE-2021-47220
nvd.nist.gov/vuln/detail/CVE-2021-47220
security-tracker.debian.org/tracker/CVE-2021-47220
www.cve.org/CVERecord?id=CVE-2021-47220
Related
