CVE-2021-47413 usb: chipidea: ci_hdrc_imx: Also search for 'phys' phandle

2024-05-2115:04:04

Linux

github.com

linux kernel

usb vulnerability

null pointer dereference

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

usb: chipidea: ci_hdrc_imx: Also search for ‘phys’ phandle

When passing ‘phys’ in the devicetree to describe the USB PHY phandle
(which is the recommended way according to
Documentation/devicetree/bindings/usb/ci-hdrc-usb2.txt) the
following NULL pointer dereference is observed on i.MX7 and i.MX8MM:

[ 1.489344] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
[ 1.498170] Mem abort info:
[ 1.500966] ESR = 0x96000044
[ 1.504030] EC = 0x25: DABT (current EL), IL = 32 bits
[ 1.509356] SET = 0, FnV = 0
[ 1.512416] EA = 0, S1PTW = 0
[ 1.515569] FSC = 0x04: level 0 translation fault
[ 1.520458] Data abort info:
[ 1.523349] ISV = 0, ISS = 0x00000044
[ 1.527196] CM = 0, WnR = 1
[ 1.530176] [0000000000000098] user address but active_mm is swapper
[ 1.536544] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[ 1.542125] Modules linked in:
[ 1.545190] CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.14.0-dirty #3
[ 1.551901] Hardware name: Kontron i.MX8MM N801X S (DT)
[ 1.557133] Workqueue: events_unbound deferred_probe_work_func
[ 1.562984] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=–)
[ 1.568998] pc : imx7d_charger_detection+0x3f0/0x510
[ 1.573973] lr : imx7d_charger_detection+0x22c/0x510

This happens because the charger functions check for the phy presence
inside the imx_usbmisc_data structure (data->usb_phy), but the chipidea
core populates the usb_phy passed via ‘phys’ inside ‘struct ci_hdrc’
(ci->usb_phy) instead.

This causes the NULL pointer dereference inside imx7d_charger_detection().

Fix it by also searching for ‘phys’ in case ‘fsl,usbphy’ is not found.

Tested on a imx7s-warp board.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "746f316b753a",
        "lessThan": "b3265b88e83b",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "746f316b753a",
        "lessThan": "66dd03b10e1c",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "746f316b753a",
        "lessThan": "8253a34bfae3",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "drivers/usb/chipidea/ci_hdrc_imx.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "5.8"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "5.8",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "5.10.73",
        "versionType": "custom",
        "lessThanOrEqual": "5.10.*"
      },
      {
        "status": "unaffected",
        "version": "5.14.12",
        "versionType": "custom",
        "lessThanOrEqual": "5.14.*"
      },
      {
        "status": "unaffected",
        "version": "5.15",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "drivers/usb/chipidea/ci_hdrc_imx.c"
    ],
    "defaultStatus": "affected"
  }
]