CVSS3
Attack Vector
PHYSICAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
13.2%
In the Linux kernel, the following vulnerability has been resolved: usb:
gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS
based applications can utilize the aio_cancel() callback to dequeue pending
USB requests submitted to the UDC. There is a scenario where the FFS
application issues an AIO cancel call, while the UDC is handling a soft
disconnect. For a DWC3 based implementation, the callstack looks like the
following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() …
–> dwc3_stop_active_transfers() –> dwc3_gadget_giveback(-ESHUTDOWN) –>
ffs_epfile_async_io_complete() ffs_aio_cancel() –> usb_ep_free_request()
–> usb_ep_dequeue() There is currently no locking implemented between the
AIO completion handler and AIO cancel, so the issue occurs if the
completion routine is running in parallel to an AIO cancel call coming from
the FFS application. As the completion call frees the USB request
(io_data->req) the FFS application is also referencing it for the
usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer.
commit b566d38857fc (“usb: gadget: f_fs: use io_data->status consistently”)
relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
However, in order to properly implement locking to mitigate this issue, the
spinlock can’t be added to ffs_epfile_async_io_complete(), as
usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
function driver’s completion handler in the same context. Hence, leading
into a deadlock. Fix this issue by moving the usb_ep_free_request() back to
ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
to NULL after freeing it within the ffs->eps_lock. This resolves the race
condition above, as the ffs_aio_cancel() routine will not continue
attempting to dequeue a request that has already been freed, or the
ffs_user_copy_work() not freeing the USB request until the AIO cancel is
done referencing it. This fix depends on commit b566d38857fc (“usb: gadget:
f_fs: use io_data->status consistently”)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
git.kernel.org/linus/24729b307eefcd7c476065cd7351c1a018082c19 (6.9-rc7)
git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19
git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb
git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4
launchpad.net/bugs/cve/CVE-2024-36894
nvd.nist.gov/vuln/detail/CVE-2024-36894
security-tracker.debian.org/tracker/CVE-2024-36894
www.cve.org/CVERecord?id=CVE-2024-36894