ghsa-rxg6-f53c-h5x3
Vulnerability from github
Published
2025-04-14 21:32
Modified
2025-04-14 21:32
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc2: gadget: don't reset gadget's driver->bus

UDC driver should not touch gadget's driver internals, especially it should not reset driver->bus. This wasn't harmful so far, but since commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget subsystem got it's own bus and messing with ->bus triggers the following NULL pointer dereference:

dwc2 12480000.hsotg: bound driver g_ether 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000000 [00000000] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: ... CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862 Hardware name: Samsung Exynos (Flattened Device Tree) PC is at module_add_driver+0x44/0xe8 LR is at sysfs_do_create_link_sd+0x84/0xe0 ... Process modprobe (pid: 620, stack limit = 0x(ptrval)) ... module_add_driver from bus_add_driver+0xf4/0x1e4 bus_add_driver from driver_register+0x78/0x10c driver_register from usb_gadget_register_driver_owner+0x40/0xb4 usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0 do_one_initcall from do_init_module+0x44/0x1c8 do_init_module from load_module+0x19b8/0x1b9c load_module from sys_finit_module+0xdc/0xfc sys_finit_module from ret_fast_syscall+0x0/0x54 Exception stack(0xf1771fa8 to 0xf1771ff0) ... dwc2 12480000.hsotg: new device is high-speed ---[ end trace 0000000000000000 ]---

Fix this by removing driver->bus entry reset.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: gadget: don\u0027t reset gadget\u0027s driver-\u003ebus\n\nUDC driver should not touch gadget\u0027s driver internals, especially it\nshould not reset driver-\u003ebus. This wasn\u0027t harmful so far, but since\ncommit fc274c1e9973 (\"USB: gadget: Add a new bus for gadgets\") gadget\nsubsystem got it\u0027s own bus and messing with -\u003ebus triggers the\nfollowing NULL pointer dereference:\n\ndwc2 12480000.hsotg: bound driver g_ether\n8\u003c--- cut here ---\nUnable to handle kernel NULL pointer dereference at virtual address 00000000\n[00000000] *pgd=00000000\nInternal error: Oops: 5 [#1] SMP ARM\nModules linked in: ...\nCPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862\nHardware name: Samsung Exynos (Flattened Device Tree)\nPC is at module_add_driver+0x44/0xe8\nLR is at sysfs_do_create_link_sd+0x84/0xe0\n...\nProcess modprobe (pid: 620, stack limit = 0x(ptrval))\n...\n module_add_driver from bus_add_driver+0xf4/0x1e4\n bus_add_driver from driver_register+0x78/0x10c\n driver_register from usb_gadget_register_driver_owner+0x40/0xb4\n usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0\n do_one_initcall from do_init_module+0x44/0x1c8\n do_init_module from load_module+0x19b8/0x1b9c\n load_module from sys_finit_module+0xdc/0xfc\n sys_finit_module from ret_fast_syscall+0x0/0x54\nException stack(0xf1771fa8 to 0xf1771ff0)\n...\ndwc2 12480000.hsotg: new device is high-speed\n---[ end trace 0000000000000000 ]---\n\nFix this by removing driver-\u003ebus entry reset.",
  "id": "GHSA-rxg6-f53c-h5x3",
  "modified": "2025-04-14T21:32:21Z",
  "published": "2025-04-14T21:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49299"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/172cfc167c8ee6238f24f9c16efd598602af643c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3120aac6d0ecd9accf56894aeac0e265f74d3d5a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5127c0f365265bb69cd776ad6e4b872c309f3fa8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/547ebdc200b862dff761ff4890f66d8217c33316"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b0c0298f7c3b57417f1729ec4071f76864b72dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bee8f9808a7e82addfc73a0973b16a8bb684205b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d2159feb9d28ce496d77df98313ab454646372ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d232ca0bbc7d03144bad0ffd1792c3352bfd03fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/efb15ff4a77fe053c941281775fefa91c87770e0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.