exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 4 of 4 RSS Feed

CVE-2024-36894

Status Candidate

Overview

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")

Related Files

Ubuntu Security Notice USN-7009-1
Posted Sep 13, 2024
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 7009-1 - Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service.

tags | advisory, denial of service, arbitrary, kernel, local
systems | linux, ubuntu
advisories | CVE-2022-48772, CVE-2024-23848, CVE-2024-25741, CVE-2024-31076, CVE-2024-33847, CVE-2024-34027, CVE-2024-34777, CVE-2024-35247, CVE-2024-36015, CVE-2024-36032, CVE-2024-36270, CVE-2024-36489, CVE-2024-36894, CVE-2024-36971
SHA-256 | 5b612a46c804c77ac14a7809a47fec0de9fff4a8a6439f91a0d5ad4c32a28058
Download | Favorite | View
Ubuntu Security Notice USN-7007-1
Posted Sep 13, 2024
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 7007-1 - Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service.

tags | advisory, denial of service, arbitrary, kernel, local
systems | linux, ubuntu
advisories | CVE-2022-48772, CVE-2023-52884, CVE-2023-52887, CVE-2024-23848, CVE-2024-25741, CVE-2024-33847, CVE-2024-34027, CVE-2024-34777, CVE-2024-36014, CVE-2024-36032, CVE-2024-36286, CVE-2024-36894, CVE-2024-36972, CVE-2024-36974
SHA-256 | 75288876207886b7f55abdb86b7b5aacd443455c1c45a71b584458933c8c5632
Download | Favorite | View
Ubuntu Security Notice USN-7006-1
Posted Sep 12, 2024
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 7006-1 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A privileged local attacker could use this to possibly cause a denial of service. It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service.

tags | advisory, denial of service, kernel, local
systems | linux, ubuntu
advisories | CVE-2021-46926, CVE-2023-52803, CVE-2023-52887, CVE-2024-24860, CVE-2024-26830, CVE-2024-26921, CVE-2024-26929, CVE-2024-36894, CVE-2024-36901, CVE-2024-36978, CVE-2024-37078, CVE-2024-39469, CVE-2024-39484, CVE-2024-39487
SHA-256 | bfa1f853c40c5f477c198c988120fbd6fe68320fbaf6055c26d7c823fb626082
Download | Favorite | View
Debian Security Advisory 5731-1
Posted Jul 17, 2024
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5731-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

tags | advisory, denial of service, kernel, vulnerability
systems | linux, debian
advisories | CVE-2023-52760, CVE-2024-25741, CVE-2024-27397, CVE-2024-36894, CVE-2024-36973, CVE-2024-36978, CVE-2024-37078, CVE-2024-38619, CVE-2024-39298, CVE-2024-39371, CVE-2024-39469, CVE-2024-39474, CVE-2024-39484, CVE-2024-39487
SHA-256 | 4367b93fd0ea16ab18f88c7940aa8c04d71f1deff307e3acccab8066e254073c
Download | Favorite | View
Page 1 of 1
Back1Next

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close