Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-52894— usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()

EPSS 0.01% · P1
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-52894

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() In Google internal bug 265639009 we've received an (as yet) unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is at: https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10 The call stack is: ncm_close() -> ncm_notify() -> ncm_do_notify() with the crash at: ncm_do_notify+0x98/0x270 Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b) Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...): // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification) 0B 0D 00 79 strh w11, [x8, #6] // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request) 6C 0A 00 B9 str w12, [x19, #8] // x10 (NULL) was read here from offset 0 of valid pointer x9 // IMHO we're reading 'cdev->gadget' and getting NULL // gadget is indeed at offset 0 of struct usb_composite_dev 2A 01 40 F9 ldr x10, [x9] // loading req->buf pointer, which is at offset 0 of struct usb_request 69 02 40 F9 ldr x9, [x19] // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed 4B 5D 40 B9 ldr w11, [x10, #0x5c] which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment: event->wLength = cpu_to_le16(8); req->length = NCM_STATUS_BYTECOUNT; /* SPEED_CHANGE data is up/down speeds in bits/sec */ data = req->buf + sizeof *event; data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); My analysis of registers and NULL ptr deref crash offset (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c) heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing: data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); which calls: ncm_bitrate(NULL) which then calls: gadget_is_superspeed(NULL) which reads ((struct usb_gadget *)NULL)->max_speed and hits a panic. AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C. (remember there's a GKI KABI reservation of 16 bytes in struct work_struct) It's not at all clear to me how this is all supposed to work... but returning 0 seems much better than panic-ing...
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于 usb/gadget/f_ncm 组件存在潜在的空指针解引用问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1650113888fe7b7e16604a5019c32dd3ddeb3af2 ~ fef6b29671b66dfb71f17e337c1ad14b5a2cedae -
LinuxLinux 4.9 -

II. Public POCs for CVE-2023-52894

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-52894

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-08-21 · 69 CVEs total

CVE-2022-48876wifi: mac80211: fix initialization of rx->link and rx->link_sta
CVE-2024-43874crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked
CVE-2024-43873vhost/vsock: always initialize seqpacket_allow
CVE-2024-43875PCI: endpoint: Clean up error handling in vpci_scan_bus()
CVE-2022-48870tty: fix possible null-ptr-defer in spk_ttyio_release
CVE-2022-48871tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer
CVE-2022-48872misc: fastrpc: Fix use-after-free race condition for maps
CVE-2022-48873misc: fastrpc: Don't remove map on creater_process and device_release
CVE-2022-48874misc: fastrpc: Fix use-after-free and race in fastrpc_map_find
CVE-2022-48875wifi: mac80211: sdata can be NULL during AMPDU start
CVE-2022-48869USB: gadgetfs: Fix race between mounting and unmounting
CVE-2022-48877f2fs: let's avoid panic if extent_tree is not created
CVE-2022-48878Bluetooth: hci_qca: Fix driver shutdown on closed serdev
CVE-2022-48879efi: fix NULL-deref in init error path
CVE-2022-48880platform/surface: aggregator: Add missing call to ssam_request_sync_free()
CVE-2022-48881platform/x86/amd: Fix refcount leak in amd_pmc_probe
CVE-2022-48882net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)
CVE-2022-48883net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent
CVE-2022-48884net/mlx5: Fix command stats access after free
CVE-2022-48885ice: Fix potential memory leak in ice_gnss_tty_write()

Showing top 20 of 69 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2023-52894

No comments yet

Leave a comment