Applied: [SRU][F][PATCH 0/1] CVE-2024-26996

Mehmet Basaran mehmet.basaran at canonical.com
Mon Mar 31 23:07:38 UTC 2025 

Applied to focal:linux master-next. Thanks

-------------- next part --------------
Edoardo Canepa <edoardo.canepa at canonical.com> writes:

> https://ubuntu.com/security/CVE-2024-26996
>
> [ Impact ]
>
> usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error
> When ncm function is working and then stop usb0 interface for link down,
> eth_stop() is called. At this piont, accidentally if usb transport error
> should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.
>
> After that, ncm_disable() is called to disable for ncm unbind
> but gether_disconnect() is never called since 'in_ep' is not enabled.
>
> As the result, ncm object is released in ncm unbind
> but 'dev->port_usb' associated to 'ncm->port' is not NULL.
>
> And when ncm bind again to recover netdev, ncm object is reallocated
> but usb0 interface is already associated to previous released ncm object.
>
> Therefore, once usb0 interface is up and eth_start_xmit() is called,
> released ncm object is dereferrenced and it might cause use-after-free memory.
>
> [function unlink via configfs]
>   usb0: eth_stop dev->port_usb=ffffff9b179c3200
>   --> error happens in usb_ep_enable().
>   NCM: ncm_disable: ncm=ffffff9b179c3200
>   --> no gether_disconnect() since ncm->port.in_ep->enabled is false.
>   NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200
>   NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm
>
> [function link via configfs]
>   NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000
>   NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000
>   NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0
>   usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm
>   usb0: eth_start dev->port_usb=ffffff9b179c3200 <--
>   eth_start_xmit()
>   --> dev->wrap()
>   Unable to handle kernel paging request at virtual address dead00000000014f
>
> This patch addresses the issue by checking if 'ncm->netdev' is not NULL at
> ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.
> It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect
> rather than check 'ncm->port.in_ep->enabled' since it might not be enabled
> but the gether connection might be established.
>
> [ Fix ]
>
> Oracular:       not affected
> Noble:          fixed via stable updates
> Jammy:          fixed via stable updates
> Focal:          backport
> Bionic:         backport
> Xenial:         backport
> trusty:         won't fix
>
> [ Test Plan ]
>
> * Build test for all supported architectures.
> * Boot tested on amd64 architecture.
>
> [ Where Problems Could Occur ]
>
> This changes the handling of object re-bind after USB ep error, so it is unlikely
> that impacts anything beyond this use case. An issue with this fix would be
> visible with usb connect/disconnect cycle.
>
> [ Other Info ]
>
> N/A
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250401/65cbd9a7/attachment.sig>

More information about the kernel-team mailing list