First published: Wed Apr 29 2020(Updated: )
A use-after-free flaw was found in usb_sg_cancel in drivers/usb/core/message.c in USB core subsystem. This flaw could allow a local attacker with special user privilege (or root) to crash the system due to a race problem in scatter-gather cancellation and transfer completion in usb_sg_wait. This vulnerability can even lead to a kernel information leak problem . Here usb_sg_cancel() does not take any reference to the transfer and there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. Taking a reference by incrementing the transfer's io->count field while the cancellation is in progress and decrementing it afterwards can be way to address this. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. ~~~ BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 ~~~ References: <a href="https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.8">https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.8</a> <a href="https://lkml.org/lkml/2020/3/23/52">https://lkml.org/lkml/2020/3/23/52</a> Upstream commit: <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=056ad39ee9253873522f6469c3364964a322912b">https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=056ad39ee9253873522f6469c3364964a322912b</a>
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <3.16.85 | |
Linux Linux kernel | >=3.17<4.4.221 | |
Linux Linux kernel | >=4.5<4.9.221 | |
Linux Linux kernel | >=4.10<4.14.178 | |
Linux Linux kernel | >=4.15<4.19.119 | |
Linux Linux kernel | >=4.20<5.4.36 | |
Linux Linux kernel | >=5.5<5.6.8 | |
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Netapp Cloud Backup | ||
Netapp Hci Baseboard Management Controller | =h300s | |
Netapp Hci Baseboard Management Controller | =h410c | |
Netapp Hci Baseboard Management Controller | =h410s | |
Netapp Hci Baseboard Management Controller | =h500s | |
Netapp Hci Baseboard Management Controller | =h610c | |
Netapp Hci Baseboard Management Controller | =h610s | |
Netapp Hci Baseboard Management Controller | =h615c | |
Netapp Hci Baseboard Management Controller | =h700s | |
Netapp Hci Storage Nodes | ||
Netapp Solidfire \& Hci Storage Node | ||
Netapp Steelstore Cloud Integrated Storage | ||
NetApp AFF A700s | ||
Netapp Hci Compute Node | ||
Netapp Solidfire Baseboard Management Controller | ||
Google Android | ||
debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.11.10-1 6.12.5-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.