Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Fix memory leak in xhci_disable_slot()<br /> <br /> xhci_alloc_command() allocates a command structure and, when the<br /> second argument is true, also allocates a completion structure.<br /> Currently, the error handling path in xhci_disable_slot() only frees<br /> the command structure using kfree(), causing the completion structure<br /> to leak.<br /> <br /> Use xhci_free_command() instead of kfree(). xhci_free_command() correctly<br /> frees both the command structure and the associated completion structure.<br /> Since the command structure is allocated with zero-initialization,<br /> command-&gt;in_ctx is NULL and will not be erroneously freed by<br /> xhci_free_command().<br /> <br /> This bug was found using an experimental static analysis tool we are<br /> developing. The tool is based on the LLVM framework and is specifically<br /> designed to detect memory management issues. It is currently under<br /> active development and not yet publicly available, but we plan to<br /> open-source it after our research is published.<br /> <br /> The bug was originally detected on v6.13-rc1 using our static analysis<br /> tool, and we have verified that the issue persists in the latest mainline<br /> kernel.<br /> <br /> We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.<br /> Since triggering these error paths in xhci_disable_slot() requires specific<br /> hardware conditions or abnormal state, we were unable to construct a test<br /> case to reliably trigger these specific error paths at runtime.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rust_binder: avoid reading the written value in offsets array<br /> <br /> When sending a transaction, its offsets array is first copied into the<br /> target proc&amp;#39;s vma, and then the values are read back from there. This is<br /> normally fine because the vma is a read-only mapping, so the target<br /> process cannot change the value under us.<br /> <br /> However, if the target process somehow gains the ability to write to its<br /> own vma, it could change the offset before it&amp;#39;s read back, causing the<br /> kernel to misinterpret what the sender meant. If the sender happens to<br /> send a payload with a specific shape, this could in the worst case lead<br /> to the receiver being able to privilege escalate into the sender.<br /> <br /> The intent is that gaining the ability to change the read-only vma of<br /> your own process should not be exploitable, so remove this TOCTOU read<br /> even though it&amp;#39;s unexploitable without another Binder bug.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rust_binder: check ownership before using vma<br /> <br /> When installing missing pages (or zapping them), Rust Binder will look<br /> up the vma in the mm by address, and then call vm_insert_page (or<br /> zap_page_range_single). However, if the vma is closed and replaced with<br /> a different vma at the same address, this can lead to Rust Binder<br /> installing pages into the wrong vma.<br /> <br /> By installing the page into a writable vma, it becomes possible to write<br /> to your own binder pages, which are normally read-only. Although you&amp;#39;re<br /> not supposed to be able to write to those pages, the intent behind the<br /> design of Rust Binder is that even if you get that ability, it should not<br /> lead to anything bad. Unfortunately, due to another bug, that is not the<br /> case.<br /> <br /> To fix this, store a pointer in vm_private_data and check that the vma<br /> returned by vma_lookup() has the right vm_ops and vm_private_data before<br /> trying to use the vma. This should ensure that Rust Binder will refuse<br /> to interact with any other VMA. The plan is to introduce more vma<br /> abstractions to avoid this unsafe access to vm_ops and vm_private_data,<br /> but for now let&amp;#39;s start with the simplest possible fix.<br /> <br /> C Binder performs the same check in a slightly different way: it<br /> provides a vm_ops-&gt;close that sets a boolean to true, then checks that<br /> boolean after calling vma_lookup(), but this is more fragile<br /> than the solution in this patch. (We probably still want to do both, but<br /> the vm_ops-&gt;close callback will be added later as part of the follow-up<br /> vma API changes.)<br /> <br /> It&amp;#39;s still possible to remap the vma so that pages appear in the right<br /> vma, but at the wrong offset, but this is a separate issue and will be<br /> fixed when Rust Binder gets a vm_ops-&gt;close callback.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rust_binder: fix oneway spam detection<br /> <br /> The spam detection logic in TreeRange was executed before the current<br /> request was inserted into the tree. So the new request was not being<br /> factored in the spam calculation. Fix this by moving the logic after<br /> the new range has been inserted.<br /> <br /> Also, the detection logic for ArrayRange was missing altogether which<br /> meant large spamming transactions could get away without being detected.<br /> Fix this by implementing an equivalent low_oneway_space() in ArrayRange.<br /> <br /> Note that I looked into centralizing this logic in RangeAllocator but<br /> iterating through &amp;#39;state&amp;#39; and &amp;#39;size&amp;#39; got a bit too complicated (for me)<br /> and I abandoned this effort.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces<br /> <br /> The Scarlett2 mixer quirk in USB-audio driver may hit a NULL<br /> dereference when a malformed USB descriptor is passed, since it<br /> assumes the presence of an endpoint in the parsed interface in<br /> scarlett2_find_fc_interface(), as reported by fuzzer.<br /> <br /> For avoiding the NULL dereference, just add the sanity check of<br /> bNumEndpoints and skip the invalid interface.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: fix i_nlink underrun during async unlink<br /> <br /> During async unlink, we drop the `i_nlink` counter before we receive<br /> the completion (that will eventually update the `i_nlink`) because "we<br /> assume that the unlink will succeed". That is not a bad idea, but it<br /> races against deletions by other clients (or against the completion of<br /> our own unlink) and can lead to an underrun which emits a WARNING like<br /> this one:<br /> <br /> WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68<br /> Modules linked in:<br /> CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655<br /> Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : drop_nlink+0x50/0x68<br /> lr : ceph_unlink+0x6c4/0x720<br /> sp : ffff80012173bc90<br /> x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680<br /> x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647<br /> x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203<br /> x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365<br /> x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec<br /> x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74<br /> x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94<br /> x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002<br /> x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8<br /> Call trace:<br /> drop_nlink+0x50/0x68 (P)<br /> vfs_unlink+0xb0/0x2e8<br /> do_unlinkat+0x204/0x288<br /> __arm64_sys_unlinkat+0x3c/0x80<br /> invoke_syscall.constprop.0+0x54/0xe8<br /> do_el0_svc+0xa4/0xc8<br /> el0_svc+0x18/0x58<br /> el0t_64_sync_handler+0x104/0x130<br /> el0t_64_sync+0x154/0x158<br /> <br /> In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the<br /> CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.<br /> <br /> Meanwhile, between this call and the following drop_nlink() call, a<br /> worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or<br /> just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own<br /> completion). These will lead to a set_nlink() call, updating the<br /> `i_nlink` counter to the value received from the MDS. If that new<br /> `i_nlink` value happens to be zero, it is illegal to decrement it<br /> further. But that is exactly what ceph_unlink() will do then.<br /> <br /> The WARNING can be reproduced this way:<br /> <br /> 1. Force async unlink; only the async code path is affected. Having<br /> no real clue about Ceph internals, I was unable to find out why the<br /> MDS wouldn&amp;#39;t give me the "Fxr" capabilities, so I patched<br /> get_caps_for_async_unlink() to always succeed.<br /> <br /> (Note that the WARNING dump above was found on an unpatched kernel,<br /> without this kludge - this is not a theoretical bug.)<br /> <br /> 2. Add a sleep call after ceph_mdsc_submit_request() so the unlink<br /> completion gets handled by a worker thread before drop_nlink() is<br /> called. This guarantees that the `i_nlink` is already zero before<br /> drop_nlink() runs.<br /> <br /> The solution is to skip the counter decrement when it is already zero,<br /> but doing so without a lock is still racy (TOCTOU). Since<br /> ceph_fill_inode() and handle_cap_grant() both hold the<br /> `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this<br /> seems like the proper lock to protect the `i_nlink` updates.<br /> <br /> I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using<br /> `afs_vnode.cb_lock`). All three have the zero check as well.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_ncm: Fix net_device lifecycle with device_move<br /> <br /> The network device outlived its parent gadget device during<br /> disconnection, resulting in dangling sysfs links and null pointer<br /> dereference problems.<br /> <br /> A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]<br /> was reverted due to power management ordering concerns and a NO-CARRIER<br /> regression.<br /> <br /> A subsequent attempt to defer net_device allocation to bind [2] broke<br /> 1:1 mapping between function instance and network device, making it<br /> impossible for configfs to report the resolved interface name. This<br /> results in a regression where the DHCP server fails on pmOS.<br /> <br /> Use device_move to reparent the net_device between the gadget device and<br /> /sys/devices/virtual/ across bind/unbind cycles. This preserves the<br /> network interface across USB reconnection, allowing the DHCP server to<br /> retain their binding.<br /> <br /> Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use<br /> __free(detach_gadget) macro to undo attachment on bind failure. The<br /> bind_count ensures device_move executes only on the first bind.<br /> <br /> [1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/<br /> [2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: legacy: ncm: Fix NPE in gncm_bind<br /> <br /> Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle<br /> with bind/unbind") deferred the allocation of the net_device. This<br /> change leads to a NULL pointer dereference in the legacy NCM driver as<br /> it attempts to access the net_device before it&amp;#39;s fully instantiated.<br /> <br /> Store the provided qmult, host_addr, and dev_addr into the struct<br /> ncm_opts-&gt;net_opts during gncm_bind(). These values will be properly<br /> applied to the net_device when it is allocated and configured later in<br /> the binding process by the NCM function driver.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_ncm: Fix atomic context locking issue<br /> <br /> The ncm_set_alt function was holding a mutex to protect against races<br /> with configfs, which invokes the might-sleep function inside an atomic<br /> context.<br /> <br /> Remove the struct net_device pointer from the f_ncm_opts structure to<br /> eliminate the contention. The connection state is now managed by a new<br /> boolean flag to preserve the use-after-free fix from<br /> commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind<br /> after usb ep transport error").<br /> <br /> BUG: sleeping function called from invalid context<br /> Call Trace:<br /> dump_stack_lvl+0x83/0xc0<br /> dump_stack+0x14/0x16<br /> __might_resched+0x389/0x4c0<br /> __might_sleep+0x8e/0x100<br /> ...<br /> __mutex_lock+0x6f/0x1740<br /> ...<br /> ncm_set_alt+0x209/0xa40<br /> set_config+0x6b6/0xb40<br /> composite_setup+0x734/0x2b40<br /> ...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling<br /> <br /> The `tpg-&gt;tpg_nexus` pointer in the USB Target driver is dynamically<br /> managed and tied to userspace configuration via ConfigFS. It can be<br /> NULL if the USB host sends requests before the nexus is fully<br /> established or immediately after it is dropped.<br /> <br /> Currently, functions like `bot_submit_command()` and the data<br /> transfer paths retrieve `tv_nexus = tpg-&gt;tpg_nexus` and immediately<br /> dereference `tv_nexus-&gt;tvn_se_sess` without any validation. If a<br /> malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)<br /> command during this race window, it triggers a NULL pointer<br /> dereference, leading to a kernel panic (local DoS).<br /> <br /> This exposes an inconsistent API usage within the module, as peer<br /> functions like `usbg_submit_command()` and `bot_send_bad_response()`<br /> correctly implement a NULL check for `tv_nexus` before proceeding.<br /> <br /> Fix this by bringing consistency to the nexus handling. Add the<br /> missing `if (!tv_nexus)` checks to the vulnerable BOT command and<br /> request processing paths, aborting the command gracefully with an<br /> error instead of crashing the system.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: image: mdc800: kill download URB on timeout<br /> <br /> mdc800_device_read() submits download_urb and waits for completion.<br /> If the timeout fires and the device has not responded, the function<br /> returns without killing the URB, leaving it active.<br /> <br /> A subsequent read() resubmits the same URB while it is still<br /> in-flight, triggering the WARN in usb_submit_urb():<br /> <br /> "URB submitted while active"<br /> <br /> Check the return value of wait_event_timeout() and kill the URB if<br /> it indicates timeout, ensuring the URB is complete before its status<br /> is inspected or the URB is resubmitted.<br /> <br /> Similar to<br /> - commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")<br /> - commit b98d5000c505 ("media: rc: iguanair: handle timeouts")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: renesas_usbhs: fix use-after-free in ISR during device removal<br /> <br /> In usbhs_remove(), the driver frees resources (including the pipe array)<br /> while the interrupt handler (usbhs_interrupt) is still registered. If an<br /> interrupt fires after usbhs_pipe_remove() but before the driver is fully<br /> unbound, the ISR may access freed memory, causing a use-after-free.<br /> <br /> Fix this by calling devm_free_irq() before freeing resources. This ensures<br /> the interrupt handler is both disabled and synchronized (waits for any<br /> running ISR to complete) before usbhs_pipe_remove() is called.