CVE-2021-47272

{"id": "CVE-2021-47272", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:15.687", "references": [{"url": "https://git.kernel.org/stable/c/03715ea2e3dbbc56947137ce3b4ac18a726b2f87", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4aad390363d2b9b3e92428dd34d27bb7ea8f1ee8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/851dee5a5da56564a70290713aee665403bb0b24", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/03715ea2e3dbbc56947137ce3b4ac18a726b2f87", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/4aad390363d2b9b3e92428dd34d27bb7ea8f1ee8", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/851dee5a5da56564a70290713aee665403bb0b24", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL\n\nThere exists a possible scenario in which dwc3_gadget_init() can fail:\nduring during host -> peripheral mode switch in dwc3_set_mode(), and\na pending gadget driver fails to bind. Then, if the DRD undergoes\nanother mode switch from peripheral->host the resulting\ndwc3_gadget_exit() will attempt to reference an invalid and dangling\ndwc->gadget pointer as well as call dma_free_coherent() on unmapped\nDMA pointers.\n\nThe exact scenario can be reproduced as follows:\n - Start DWC3 in peripheral mode\n - Configure ConfigFS gadget with FunctionFS instance (or use g_ffs)\n - Run FunctionFS userspace application (open EPs, write descriptors, etc)\n - Bind gadget driver to DWC3's UDC\n - Switch DWC3 to host mode\n => dwc3_gadget_exit() is called. usb_del_gadget() will put the\n\tConfigFS driver instance on the gadget_driver_pending_list\n - Stop FunctionFS application (closes the ep files)\n - Switch DWC3 to peripheral mode\n => dwc3_gadget_init() fails as usb_add_gadget() calls\n\tcheck_pending_gadget_drivers() and attempts to rebind the UDC\n\tto the ConfigFS gadget but fails with -19 (-ENODEV) because the\n\tFFS instance is not in FFS_ACTIVE state (userspace has not\n\tre-opened and written the descriptors yet, i.e. desc_ready!=0).\n - Switch DWC3 back to host mode\n => dwc3_gadget_exit() is called again, but this time dwc->gadget\n\tis invalid.\n\nAlthough it can be argued that userspace should take responsibility\nfor ensuring that the FunctionFS application be ready prior to\nallowing the composite driver bind to the UDC, failure to do so\nshould not result in a panic from the kernel driver.\n\nFix this by setting dwc->gadget to NULL in the failure path of\ndwc3_gadget_init() and add a check to dwc3_gadget_exit() to bail out\nunless the gadget pointer is valid."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc3: gadget: Bail from dwc3_gadget_exit() si dwc->gadget es NULL. Existe un posible escenario en el que dwc3_gadget_init() puede fallar: durante durante el host -> modo perif\u00e9rico Cambie a dwc3_set_mode() y un controlador de dispositivo pendiente no se vincula. Luego, si el DRD sufre otro cambio de modo desde perif\u00e9rico->host, el dwc3_gadget_exit() resultante intentar\u00e1 hacer referencia a un puntero dwc->gadget no v\u00e1lido y colgante, as\u00ed como llamar a dma_free_coherent() en punteros DMA no asignados. El escenario exacto se puede reproducir de la siguiente manera: - Iniciar DWC3 en modo perif\u00e9rico - Configurar el gadget ConfigFS con la instancia FunctionFS (o usar g_ffs) - Ejecutar la aplicaci\u00f3n de espacio de usuario FunctionFS (abrir EP, escribir descriptores, etc.) - Vincular el controlador del gadget al UDC de DWC3 - Cambiar DWC3 al modo host => se llama a dwc3_gadget_exit(). usb_del_gadget() colocar\u00e1 la instancia del controlador ConfigFS en gadget_driver_pending_list - Detener la aplicaci\u00f3n FunctionFS (cierra los archivos ep) - Cambiar DWC3 al modo perif\u00e9rico => dwc3_gadget_init() falla ya que usb_add_gadget() llama a check_pending_gadget_drivers() e intenta volver a vincular el UDC al El gadget ConfigFS pero falla con -19 (-ENODEV) porque la instancia FFS no est\u00e1 en estado FFS_ACTIVE (el espacio de usuario a\u00fan no se ha reabierto ni escrito los descriptores, es decir, desc_ready!=0). - Vuelva a cambiar DWC3 al modo host => se vuelve a llamar a dwc3_gadget_exit(), pero esta vez dwc->gadget no es v\u00e1lido. Aunque se puede argumentar que el espacio de usuario debe asumir la responsabilidad de garantizar que la aplicaci\u00f3n FunctionFS est\u00e9 lista antes de permitir que el controlador compuesto se vincule al UDC, no hacerlo no deber\u00eda generar p\u00e1nico por parte del controlador del kernel. Solucione este problema configurando dwc->gadget en NULL en la ruta de falla de dwc3_gadget_init() y agregue una marca a dwc3_gadget_exit() para salir del problema a menos que el puntero del gadget sea v\u00e1lido."}], "lastModified": "2025-04-30T14:55:59.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7E14A6C-41D9-41C0-88FA-8959D208A792", "versionEndExcluding": "5.10.44", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F914A757-FAFD-407E-9031-21F66635D5EA", "versionEndExcluding": "5.12.11", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1ECD33F5-85BE-430B-8F86-8D7BD560311D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF351855-2437-4CF5-AD7C-BDFA51F27683"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}