NACK: [SRU][F][PATCH 1/1] usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Tue Mar 18 10:28:19 UTC 2025 

On Mon, 17 Mar 2025 at 12:23, Edoardo Canepa
<edoardo.canepa at canonical.com> wrote:
>
> From: Norihiko Hama <Norihiko.Hama at alpsalpine.com>
>
> BugLink: https://bugs.launchpad.net/bugs/2067959

This BugLink is a Jammy upstream pull, therefore it is not related to
the CVE fix.
For CVE fixes a BugLink is not necessary (most of the time).

>
> commit 6334b8e4553cc69f51e383c9de545082213d785e upstream.
>
> When ncm function is working and then stop usb0 interface for link down,
> eth_stop() is called. At this piont, accidentally if usb transport error
> should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.
>
> After that, ncm_disable() is called to disable for ncm unbind
> but gether_disconnect() is never called since 'in_ep' is not enabled.
>
> As the result, ncm object is released in ncm unbind
> but 'dev->port_usb' associated to 'ncm->port' is not NULL.
>
> And when ncm bind again to recover netdev, ncm object is reallocated
> but usb0 interface is already associated to previous released ncm object.
>
> Therefore, once usb0 interface is up and eth_start_xmit() is called,
> released ncm object is dereferrenced and it might cause use-after-free memory.
>
> [function unlink via configfs]
>   usb0: eth_stop dev->port_usb=ffffff9b179c3200
>   --> error happens in usb_ep_enable().
>   NCM: ncm_disable: ncm=ffffff9b179c3200
>   --> no gether_disconnect() since ncm->port.in_ep->enabled is false.
>   NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200
>   NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm
>
> [function link via configfs]
>   NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000
>   NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000
>   NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0
>   usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm
>   usb0: eth_start dev->port_usb=ffffff9b179c3200 <--
>   eth_start_xmit()
>   --> dev->wrap()
>   Unable to handle kernel paging request at virtual address dead00000000014f
>
> This patch addresses the issue by checking if 'ncm->netdev' is not NULL at
> ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.
> It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect
> rather than check 'ncm->port.in_ep->enabled' since it might not be enabled
> but the gether connection might be established.
>
> Signed-off-by: Norihiko Hama <Norihiko.Hama at alpsalpine.com>
> Cc: stable <stable at kernel.org>
> Link: https://lore.kernel.org/r/20240327023550.51214-1-Norihiko.Hama@alpsalpine.com
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> Signed-off-by: Portia Stephens <portia.stephens at canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> (backported from commit 750ccb0c33f024aebb9d52ebcade19a403de08ea jammy)

The backport should come from upstream, therefore from mainline or stable trees.

> [ecanepa: adapted ncm_disable due to ncm->timer_stopping not present in commit patch]
> CVE-2024-26996
> Signed-off-by: Edoardo Canepa <edoardo.canepa at canonical.com>
> ---
>  drivers/usb/gadget/function/f_ncm.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
> index ca50257b9538..39b7236849a3 100644
> --- a/drivers/usb/gadget/function/f_ncm.c
> +++ b/drivers/usb/gadget/function/f_ncm.c
> @@ -890,7 +890,7 @@ static int ncm_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
>                 if (alt > 1)
>                         goto fail;
>
> -               if (ncm->port.in_ep->enabled) {
> +               if (ncm->netdev) {
>                         DBG(cdev, "reset ncm\n");
>                         ncm->timer_stopping = true;
>                         ncm->netdev = NULL;
> @@ -1378,7 +1378,7 @@ static void ncm_disable(struct usb_function *f)
>
>         DBG(cdev, "ncm deactivated\n");
>
> -       if (ncm->port.in_ep->enabled) {
> +       if (ncm->netdev) {
>                 ncm->timer_stopping = true;
>                 ncm->netdev = NULL;
>                 gether_disconnect(&ncm->port);
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

-- 
Massimiliano Pellizzer

More information about the kernel-team mailing list