ACK: [SRU][F][PATCH 0/1] CVE-2024-26996

Kuba Pawlak kuba.pawlak at canonical.com
Thu Mar 20 14:16:28 UTC 2025 

On 18.03.2025 17:59, Edoardo Canepa wrote:

> https://ubuntu.com/security/CVE-2024-26996
>
> [ Impact ]
>
> usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error
> When ncm function is working and then stop usb0 interface for link down,
> eth_stop() is called. At this piont, accidentally if usb transport error
> should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.
>
> After that, ncm_disable() is called to disable for ncm unbind
> but gether_disconnect() is never called since 'in_ep' is not enabled.
>
> As the result, ncm object is released in ncm unbind
> but 'dev->port_usb' associated to 'ncm->port' is not NULL.
>
> And when ncm bind again to recover netdev, ncm object is reallocated
> but usb0 interface is already associated to previous released ncm object.
>
> Therefore, once usb0 interface is up and eth_start_xmit() is called,
> released ncm object is dereferrenced and it might cause use-after-free memory.
>
> [function unlink via configfs]
>    usb0: eth_stop dev->port_usb=ffffff9b179c3200
>    --> error happens in usb_ep_enable().
>    NCM: ncm_disable: ncm=ffffff9b179c3200
>    --> no gether_disconnect() since ncm->port.in_ep->enabled is false.
>    NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200
>    NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm
>
> [function link via configfs]
>    NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000
>    NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000
>    NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0
>    usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm
>    usb0: eth_start dev->port_usb=ffffff9b179c3200 <--
>    eth_start_xmit()
>    --> dev->wrap()
>    Unable to handle kernel paging request at virtual address dead00000000014f
>
> This patch addresses the issue by checking if 'ncm->netdev' is not NULL at
> ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.
> It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect
> rather than check 'ncm->port.in_ep->enabled' since it might not be enabled
> but the gether connection might be established.
>
> [ Fix ]
>
> Oracular:       not affected
> Noble:          fixed via stable updates
> Jammy:          fixed via stable updates
> Focal:          backport
> Bionic:         backport
> Xenial:         backport
> trusty:         won't fix
>
> [ Test Plan ]
>
> * Build test for all supported architectures.
> * Boot tested on amd64 architecture.
>
> [ Where Problems Could Occur ]
>
> This changes the handling of object re-bind after USB ep error, so it is unlikely
> that impacts anything beyond this use case. An issue with this fix would be
> visible with usb connect/disconnect cycle.
>
> [ Other Info ]
>
> N/A
>
>
Acked-by: Kuba Pawlak <kuba.pawlak at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x216A9D7E3B63DCB4.asc
Type: application/pgp-keys
Size: 3139 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250320/868a4362/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250320/868a4362/attachment-0001.sig>

More information about the kernel-team mailing list