In the Linux kernel, the following vulnerability has been resolved: usb:
dwc3: ep0: fix NULL pointer exception There is no validation of the index
from dwc3_wIndex_to_dep() and we might be referring a non-existing ep and
trigger a NULL pointer exception. In certain configurations we might use
fewer eps and the index might wrongly indicate a larger ep index than
existing. By adding this validation from the patch we can actually report a
wrong index back to the caller. In our usecase we are using a composite
device on an older kernel, but upstream might use this fix also.
Unfortunately, I cannot describe the hardware for others to reproduce the
issue as it is a proprietary implementation. [ 82.958261] Unable to handle
kernel NULL pointer dereference at virtual address 00000000000000a4 [
82.966891] Mem abort info: [ 82.969663] ESR = 0x96000006 [ 82.972703]
Exception class = DABT (current EL), IL = 32 bits [ 82.978603] SET = 0, FnV
= 0 [ 82.981642] EA = 0, S1PTW = 0 [ 82.984765] Data abort info: [
82.987631] ISV = 0, ISS = 0x00000006 [ 82.991449] CM = 0, WnR = 0 [
82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc [
83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003,
pmd=0000000000000000 [ 83.009685] Internal error: Oops: 96000006 [#1]
PREEMPT SMP [ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit =
0x000000003985154c) [ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not
tainted 4.19.124 #1 [ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) [
83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c [ 83.054558] lr :
dwc3_ep0_interrupt+0x3b4/0xc94 … [ 83.141788] Call trace: [ 83.144227]
dwc3_ep0_handle_feature+0x414/0x43c [ 83.148823]
dwc3_ep0_interrupt+0x3b4/0xc94 [ 83.181546] —[ end trace aac6b5267d84c32f
]—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/d00889080ab60051627dab1d85831cd9db750e2a (5.13-rc6)
git.kernel.org/stable/c/366369b89bedd59b1425386e8d4a18a466e420e4
git.kernel.org/stable/c/470403639114895e2697c766fbe17be8d0e9b67a
git.kernel.org/stable/c/60156089f07e724e4dc8483702d5e1ede4522749
git.kernel.org/stable/c/788755756dd4a6aba1de479fec20b0fa600e7f19
git.kernel.org/stable/c/96b74a99d360235c24052f1d060e64ac53f43528
git.kernel.org/stable/c/990dc90750772622d44ca2ea6652c521e6f67e16
git.kernel.org/stable/c/bd551e7c85939de2182010273450bfa78c3742fc
git.kernel.org/stable/c/d00889080ab60051627dab1d85831cd9db750e2a
launchpad.net/bugs/cve/CVE-2021-47269
nvd.nist.gov/vuln/detail/CVE-2021-47269
security-tracker.debian.org/tracker/CVE-2021-47269
www.cve.org/CVERecord?id=CVE-2021-47269