CVE-2022-49398

{"id": "CVE-2022-49398", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:16.377", "references": [{"url": "https://git.kernel.org/stable/c/1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2424307cdf421ac72075a1384eae4e4199ab6457", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/26a7e6832afe9d9a991cfd9015177f083cf959cc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bf594d1d0c1d7b895954018043536ffd327844f9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback\n\nThe list_for_each_entry_safe() macro saves the current item (n) and\nthe item after (n+1), so that n can be safely removed without\ncorrupting the list. However, when traversing the list and removing\nitems using gadget giveback, the DWC3 lock is briefly released,\nallowing other routines to execute. There is a situation where, while\nitems are being removed from the cancelled_list using\ndwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable\nroutine is running in parallel (due to UDC unbind). As the cleanup\nroutine removes n, and the pullup disable removes n+1, once the\ncleanup retakes the DWC3 lock, it references a request who was already\nremoved/handled. With list debug enabled, this leads to a panic.\nEnsure all instances of the macro are replaced where gadget giveback\nis used.\n\nExample call stack:\n\nThread#1:\n__dwc3_gadget_ep_set_halt() - CLEAR HALT\n -> dwc3_gadget_ep_cleanup_cancelled_requests()\n ->list_for_each_entry_safe()\n ->dwc3_gadget_giveback(n)\n ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]\n ->spin_unlock\n ->Thread#2 executes\n ...\n ->dwc3_gadget_giveback(n+1)\n ->Already removed!\n\nThread#2:\ndwc3_gadget_pullup()\n ->waiting for dwc3 spin_lock\n ...\n ->Thread#1 released lock\n ->dwc3_stop_active_transfers()\n ->dwc3_remove_requests()\n ->fetches n+1 item from cancelled_list (n removed by Thread#1)\n ->dwc3_gadget_giveback()\n ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]\n ->spin_unlock"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc3: gadget: Reemplazar list_for_each_entry_safe() si se usa giveback La macro list_for_each_entry_safe() guarda el elemento actual (n) y el elemento posterior (n+1), de modo que n se pueda eliminar de forma segura sin da\u00f1ar la lista. Sin embargo, al recorrer la lista y eliminar elementos usando gadget giveback, el bloqueo DWC3 se libera brevemente, lo que permite que se ejecuten otras rutinas. Existe una situaci\u00f3n en la que, mientras se eliminan elementos de la lista cancelada usando dwc3_gadget_ep_cleanup_cancelled_requests(), la rutina de desactivaci\u00f3n de pullup se ejecuta en paralelo (debido a la desvinculaci\u00f3n de UDC). A medida que la rutina de limpieza elimina n, y la desactivaci\u00f3n de pullup elimina n+1, una vez que la limpieza retoma el bloqueo DWC3, hace referencia a una solicitud que ya fue eliminada/gestionada. Con la depuraci\u00f3n de lista habilitada, esto genera un p\u00e1nico. Aseg\u00farese de que todas las instancias de la macro se reemplacen donde se use la devoluci\u00f3n de gadgets. Ejemplo de pila de llamadas: Thread#1: __dwc3_gadget_ep_set_halt() - CLEAR HALT -> dwc3_gadget_ep_cleanup_cancelled_requests() ->list_for_each_entry_safe() ->dwc3_gadget_giveback(n) ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list] ->spin_unlock ->Thread#2 executes ... ->dwc3_gadget_giveback(n+1) ->Already removed! Thread#2: dwc3_gadget_pullup() ->waiting for dwc3 spin_lock ... ->Thread#1 released lock ->dwc3_stop_active_transfers() ->dwc3_remove_requests() ->fetches n+1 item from cancelled_list (n removed by Thread#1) ->dwc3_gadget_giveback() ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list] ->spin_unlock "}], "lastModified": "2025-10-21T12:15:09.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "736CAD7C-FDCA-4435-A31E-A705615CF44F", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.57"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BFE19B19-67CE-4279-8E7C-FC2144344195", "versionEndExcluding": "5.15.47", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53E7AA2E-2FB4-45CA-A22B-08B4EDBB51AD", "versionEndExcluding": "5.17.15", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6D643C-6D6A-4821-8A8D-B5776B8F0103", "versionEndExcluding": "5.18.4", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}