Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:usb: dwc3: ep0: fix NULL pointer exceptionThere is no validation of the index from dwc3_wIndex_to_dep() and we mightbe referring a non-existing ep and trigger a NULL pointer exception. Incertain configurations we might use fewer eps and the index might wronglyindicate a larger ep index than existing.By adding this validation from the patch we can actually report a wrongindex back to the caller.In our usecase we are using a composite device on an older kernel, butupstream might use this fix also. Unfortunately, I cannot describe thehardware for others to reproduce the issue as it is a proprietaryimplementation.[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4[ 82.966891] Mem abort info:[ 82.969663] ESR = 0x96000006[ 82.972703] Exception class = DABT (current EL), IL = 32 bits[ 82.978603] SET = 0, FnV = 0[ 82.981642] EA = 0, S1PTW = 0[ 82.984765] Data abort info:[ 82.987631] ISV = 0, ISS = 0x00000006[ 82.991449] CM = 0, WnR = 0[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94...[ 83.141788] Call trace:[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94[ 83.181546] ---[ end trace aac6b5267d84c32f ]---
- https://git.kernel.org/stable/c/96b74a99d360235c24052f1d060e64ac53f43528
No PoCs found on GitHub currently.