CVE-2024-36894 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19
https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a
https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb
https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867
https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14
https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4
https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd
https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311
https://lore.kernel.org/linux-cve-announce/2024053034-CVE-2024-36894-b44b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-36894
https://www.cve.org/CVERecord?id=CVE-2024-36894

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.9:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc6::::::

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel:-:::::::*
Vendors & Products		Linux Linux linux Kernel
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36894", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-30T15:25:07.066Z", "datePublished": "2024-05-30T15:28:59.689Z", "dateUpdated": "2024-12-19T09:01:32.976Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:01:32.976Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\n\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC.  There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect.  For a DWC3 based implementation, the callstack looks\nlike the following:\n\n    DWC3 Gadget                               FFS Application\ndwc3_gadget_soft_disconnect()              ...\n  --> dwc3_stop_active_transfers()\n    --> dwc3_gadget_giveback(-ESHUTDOWN)\n      --> ffs_epfile_async_io_complete()   ffs_aio_cancel()\n        --> usb_ep_free_request()            --> usb_ep_dequeue()\n\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call.  This can\nlead to accessing a stale/hanging pointer.\n\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context.  Hence, leading\ninto a deadlock.\n\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock.  This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\n\nThis fix depends on\n  commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n  consistently\")"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_fs.c"], "versions": [{"version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "f71a53148ce34898fef099b75386a3a9f4449311", "status": "affected", "versionType": "git"}, {"version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "9e72ef59cbe61cd1243857a6418ca92104275867", "status": "affected", "versionType": "git"}, {"version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "e500b1c4e29ad0bd1c1332a1eaea2913627a92dd", "status": "affected", "versionType": "git"}, {"version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "3613e5023f09b3308545e9d1acda86017ebd418a", "status": "affected", "versionType": "git"}, {"version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14", "status": "affected", "versionType": "git"}, {"version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "73c05ad46bb4fbbdb346004651576d1c8dbcffbb", "status": "affected", "versionType": "git"}, {"version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "d7461830823242702f5d84084bcccb25159003f4", "status": "affected", "versionType": "git"}, {"version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "24729b307eefcd7c476065cd7351c1a018082c19", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_fs.c"], "versions": [{"version": "3.15", "status": "affected"}, {"version": "0", "lessThan": "3.15", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.317", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.279", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.221", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.31", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.10", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311"}, {"url": "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867"}, {"url": "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd"}, {"url": "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a"}, {"url": "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14"}, {"url": "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb"}, {"url": "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4"}, {"url": "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19"}], "title": "usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-362", "lang": "en", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "affected": [{"vendor": "linux", "product": "linux_kernel", "cpes": ["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2e4c7553cd6f", "status": "affected", "lessThan": "73c05ad46bb4", "versionType": "custom"}]}, {"vendor": "linux", "product": "linux_kernel", "cpes": ["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2e4c7553cd6f", "status": "affected", "lessThan": "d74618308232", "versionType": "custom"}]}, {"vendor": "linux", "product": "linux_kernel", "cpes": ["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2e4c7553cd6f", "status": "affected", "lessThan": "24729b307eef", "versionType": "custom"}, {"version": "2e4c7553cd6f", "status": "affected", "lessThan": "f71a53148ce3", "versionType": "custom"}, {"version": "2e4c7553cd6f", "status": "affected", "lessThan": "9e72ef59cbe6", "versionType": "custom"}, {"version": "2e4c7553cd6f", "status": "affected", "lessThan": "e500b1c4e29a", "versionType": "custom"}, {"version": "2e4c7553cd6f", "status": "affected", "lessThan": "3613e5023f09", "versionType": "custom"}, {"version": "2e4c7553cd6f", "status": "affected", "lessThan": "a0fdccb1c9e0", "versionType": "custom"}, {"version": "3.15", "status": "affected"}, {"version": "0", "status": "unaffected", "lessThan": "3.15", "versionType": "custom"}, {"version": "4.19.317", "status": "unaffected", "lessThanOrEqual": "4.20", "versionType": "custom"}, {"version": "5.4.279", "status": "unaffected", "lessThanOrEqual": "5.5", "versionType": "custom"}, {"version": "5.10.221", "status": "unaffected", "lessThanOrEqual": "5.11", "versionType": "custom"}, {"version": "5.15.162", "status": "unaffected", "lessThanOrEqual": "5.16", "versionType": "custom"}, {"version": "6.1.95", "status": "unaffected", "lessThanOrEqual": "6.2", "versionType": "custom"}, {"version": "6.6.31", "status": "unaffected", "lessThanOrEqual": "6.7", "versionType": "custom"}, {"version": "6.8.10", "status": "unaffected", "lessThanOrEqual": "6.9", "versionType": "custom"}, {"version": "6.9", "status": "unaffected", "lessThanOrEqual": "*", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-03T15:53:00.949597Z", "id": "CVE-2024-36894", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T16:17:27.715Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:49.884Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19", "tags": ["x_transferred"]}]}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2024-36894 (string)

assignerOrgId : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

state : PUBLISHED (string)

assignerShortName : Linux (string)

dateReserved : 2024-05-30T15:25:07.066Z (string)

datePublished : 2024-05-30T15:28:59.689Z (string)

dateUpdated : 2024-12-19T09:01:32.976Z (string)

}

containers : { »

cna : { »

providerMetadata : { »

orgId : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

shortName : Linux (string)

dateUpdated : 2024-12-19T09:01:32.976Z (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") (string)

}

]

affected : [ »

0 : { »

product : Linux (string)

vendor : Linux (string)

defaultStatus : unaffected (string)

repo : https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (string)

programFiles : [ »

0 : drivers/usb/gadget/function/f_fs.c (string)

]

versions : [ »

0 : { »

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : f71a53148ce34898fef099b75386a3a9f4449311 (string)

status : affected (string)

versionType : git (string)

}

1 : { »

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : 9e72ef59cbe61cd1243857a6418ca92104275867 (string)

status : affected (string)

versionType : git (string)

}

2 : { »

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : e500b1c4e29ad0bd1c1332a1eaea2913627a92dd (string)

status : affected (string)

versionType : git (string)

}

3 : { »

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : 3613e5023f09b3308545e9d1acda86017ebd418a (string)

status : affected (string)

versionType : git (string)

}

4 : { »

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 (string)

status : affected (string)

versionType : git (string)

}

5 : { »

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : 73c05ad46bb4fbbdb346004651576d1c8dbcffbb (string)

status : affected (string)

versionType : git (string)

}

6 : { »

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : d7461830823242702f5d84084bcccb25159003f4 (string)

status : affected (string)

versionType : git (string)

}

7 : { »

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : 24729b307eefcd7c476065cd7351c1a018082c19 (string)

status : affected (string)

versionType : git (string)

}

]

}

1 : { »

product : Linux (string)

vendor : Linux (string)

defaultStatus : affected (string)

repo : https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (string)

programFiles : [ »

0 : drivers/usb/gadget/function/f_fs.c (string)

]

versions : [ »

0 : { »

version : 3.15 (string)

status : affected (string)

}

1 : { »

version : 0 (string)

lessThan : 3.15 (string)

status : unaffected (string)

versionType : semver (string)

}

2 : { »

version : 4.19.317 (string)

lessThanOrEqual : 4.19.* (string)

status : unaffected (string)

versionType : semver (string)

}

3 : { »

version : 5.4.279 (string)

lessThanOrEqual : 5.4.* (string)

status : unaffected (string)

versionType : semver (string)

}

4 : { »

version : 5.10.221 (string)

lessThanOrEqual : 5.10.* (string)

status : unaffected (string)

versionType : semver (string)

}

5 : { »

version : 5.15.162 (string)

lessThanOrEqual : 5.15.* (string)

status : unaffected (string)

versionType : semver (string)

}

6 : { »

version : 6.1.95 (string)

lessThanOrEqual : 6.1.* (string)

status : unaffected (string)

versionType : semver (string)

}

7 : { »

version : 6.6.31 (string)

lessThanOrEqual : 6.6.* (string)

status : unaffected (string)

versionType : semver (string)

}

8 : { »

version : 6.8.10 (string)

lessThanOrEqual : 6.8.* (string)

status : unaffected (string)

versionType : semver (string)

}

9 : { »

version : 6.9 (string)

lessThanOrEqual : * (string)

status : unaffected (string)

versionType : original_commit_for_fix (string)

}

]

}

]

references : [ »

0 : { »

url : https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311 (string)

}

1 : { »

url : https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867 (string)

}

2 : { »

url : https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd (string)

}

3 : { »

url : https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a (string)

}

4 : { »

url : https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 (string)

}

5 : { »

url : https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb (string)

}

6 : { »

url : https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4 (string)

}

7 : { »

url : https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19 (string)

}

]

title : usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (string)

x_generator : { »

engine : bippy-5f407fcff5a0 (string)

}

adp : [ »

0 : { »

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

type : CWE (string)

cweId : CWE-362 (string)

lang : en (string)

description : CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (string)

}

]

}

]

affected : [ »

0 : { »

vendor : linux (string)

product : linux_kernel (string)

cpes : [ »

0 : cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* (string)

]

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 2e4c7553cd6f (string)

status : affected (string)

lessThan : 73c05ad46bb4 (string)

versionType : custom (string)

}

]

}

1 : { »

vendor : linux (string)

product : linux_kernel (string)

cpes : [ »

0 : cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* (string)

]

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 2e4c7553cd6f (string)

status : affected (string)

lessThan : d74618308232 (string)

versionType : custom (string)

}

]

}

2 : { »

vendor : linux (string)

product : linux_kernel (string)

cpes : [ »

0 : cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* (string)

]

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 2e4c7553cd6f (string)

status : affected (string)

lessThan : 24729b307eef (string)

versionType : custom (string)

}

1 : { »

version : 2e4c7553cd6f (string)

status : affected (string)

lessThan : f71a53148ce3 (string)

versionType : custom (string)

}

2 : { »

version : 2e4c7553cd6f (string)

status : affected (string)

lessThan : 9e72ef59cbe6 (string)

versionType : custom (string)

}

3 : { »

version : 2e4c7553cd6f (string)

status : affected (string)

lessThan : e500b1c4e29a (string)

versionType : custom (string)

}

4 : { »

version : 2e4c7553cd6f (string)

status : affected (string)

lessThan : 3613e5023f09 (string)

versionType : custom (string)

}

5 : { »

version : 2e4c7553cd6f (string)

status : affected (string)

lessThan : a0fdccb1c9e0 (string)

versionType : custom (string)

}

6 : { »

version : 3.15 (string)

status : affected (string)

}

7 : { »

version : 0 (string)

status : unaffected (string)

lessThan : 3.15 (string)

versionType : custom (string)

}

8 : { »

version : 4.19.317 (string)

status : unaffected (string)

lessThanOrEqual : 4.20 (string)

versionType : custom (string)

}

9 : { »

version : 5.4.279 (string)

status : unaffected (string)

lessThanOrEqual : 5.5 (string)

versionType : custom (string)

}

10 : { »

version : 5.10.221 (string)

status : unaffected (string)

lessThanOrEqual : 5.11 (string)

versionType : custom (string)

}

11 : { »

version : 5.15.162 (string)

status : unaffected (string)

lessThanOrEqual : 5.16 (string)

versionType : custom (string)

}

12 : { »

version : 6.1.95 (string)

status : unaffected (string)

lessThanOrEqual : 6.2 (string)

versionType : custom (string)

}

13 : { »

version : 6.6.31 (string)

status : unaffected (string)

lessThanOrEqual : 6.7 (string)

versionType : custom (string)

}

14 : { »

version : 6.8.10 (string)

status : unaffected (string)

lessThanOrEqual : 6.9 (string)

versionType : custom (string)

}

15 : { »

version : 6.9 (string)

status : unaffected (string)

lessThanOrEqual : * (string)

versionType : custom (string)

}

]

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 5.6 (number)

attackVector : PHYSICAL (string)

baseSeverity : MEDIUM (string)

vectorString : CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H (string)

integrityImpact : NONE (string)

userInteraction : NONE (string)

attackComplexity : HIGH (string)

availabilityImpact : HIGH (string)

privilegesRequired : LOW (string)

confidentialityImpact : HIGH (string)

}

1 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2024-06-03T15:53:00.949597Z (string)

id : CVE-2024-36894 (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-08-21T16:17:27.715Z (string)

}

1 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T03:43:49.884Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311 (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867 (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd (string)

tags : [ »

0 : x_transferred (string)

]

}

3 : { »

url : https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a (string)

tags : [ »

0 : x_transferred (string)

]

}

4 : { »

url : https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 (string)

tags : [ »

0 : x_transferred (string)

]

}

5 : { »

url : https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb (string)

tags : [ »

0 : x_transferred (string)

]

}

6 : { »

url : https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4 (string)

tags : [ »

0 : x_transferred (string)

]

}

7 : { »

url : https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:49.884Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36894", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-03T15:53:00.949597Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"], "vendor": "linux", "product": "linux_kernel", "versions": [{"status": "affected", "version": "2e4c7553cd6f", "lessThan": "73c05ad46bb4", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"], "vendor": "linux", "product": "linux_kernel", "versions": [{"status": "affected", "version": "2e4c7553cd6f", "lessThan": "d74618308232", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"], "vendor": "linux", "product": "linux_kernel", "versions": [{"status": "affected", "version": "2e4c7553cd6f", "lessThan": "24729b307eef", "versionType": "custom"}, {"status": "affected", "version": "2e4c7553cd6f", "lessThan": "f71a53148ce3", "versionType": "custom"}, {"status": "affected", "version": "2e4c7553cd6f", "lessThan": "9e72ef59cbe6", "versionType": "custom"}, {"status": "affected", "version": "2e4c7553cd6f", "lessThan": "e500b1c4e29a", "versionType": "custom"}, {"status": "affected", "version": "2e4c7553cd6f", "lessThan": "3613e5023f09", "versionType": "custom"}, {"status": "affected", "version": "2e4c7553cd6f", "lessThan": "a0fdccb1c9e0", "versionType": "custom"}, {"status": "affected", "version": "3.15"}, {"status": "unaffected", "version": "0", "lessThan": "3.15", "versionType": "custom"}, {"status": "unaffected", "version": "4.19.317", "versionType": "custom", "lessThanOrEqual": "4.20"}, {"status": "unaffected", "version": "5.4.279", "versionType": "custom", "lessThanOrEqual": "5.5"}, {"status": "unaffected", "version": "5.10.221", "versionType": "custom", "lessThanOrEqual": "5.11"}, {"status": "unaffected", "version": "5.15.162", "versionType": "custom", "lessThanOrEqual": "5.16"}, {"status": "unaffected", "version": "6.1.95", "versionType": "custom", "lessThanOrEqual": "6.2"}, {"status": "unaffected", "version": "6.6.31", "versionType": "custom", "lessThanOrEqual": "6.7"}, {"status": "unaffected", "version": "6.8.10", "versionType": "custom", "lessThanOrEqual": "6.9"}, {"status": "unaffected", "version": "6.9", "versionType": "custom", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-03T16:04:02.070Z"}}], "cna": {"title": "usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "f71a53148ce34898fef099b75386a3a9f4449311", "versionType": "git"}, {"status": "affected", "version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "9e72ef59cbe61cd1243857a6418ca92104275867", "versionType": "git"}, {"status": "affected", "version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "e500b1c4e29ad0bd1c1332a1eaea2913627a92dd", "versionType": "git"}, {"status": "affected", "version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "3613e5023f09b3308545e9d1acda86017ebd418a", "versionType": "git"}, {"status": "affected", "version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14", "versionType": "git"}, {"status": "affected", "version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "73c05ad46bb4fbbdb346004651576d1c8dbcffbb", "versionType": "git"}, {"status": "affected", "version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "d7461830823242702f5d84084bcccb25159003f4", "versionType": "git"}, {"status": "affected", "version": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "lessThan": "24729b307eefcd7c476065cd7351c1a018082c19", "versionType": "git"}], "programFiles": ["drivers/usb/gadget/function/f_fs.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3.15"}, {"status": "unaffected", "version": "0", "lessThan": "3.15", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.317", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.279", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.221", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.162", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.95", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.31", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.10", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/usb/gadget/function/f_fs.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311"}, {"url": "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867"}, {"url": "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd"}, {"url": "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a"}, {"url": "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14"}, {"url": "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb"}, {"url": "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4"}, {"url": "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\n\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC.  There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect.  For a DWC3 based implementation, the callstack looks\nlike the following:\n\n    DWC3 Gadget                               FFS Application\ndwc3_gadget_soft_disconnect()              ...\n  --> dwc3_stop_active_transfers()\n    --> dwc3_gadget_giveback(-ESHUTDOWN)\n      --> ffs_epfile_async_io_complete()   ffs_aio_cancel()\n        --> usb_ep_free_request()            --> usb_ep_dequeue()\n\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call.  This can\nlead to accessing a stale/hanging pointer.\n\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context.  Hence, leading\ninto a deadlock.\n\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock.  This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\n\nThis fix depends on\n  commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n  consistently\")"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:01:32.976Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36894", "state": "PUBLISHED", "dateUpdated": "2024-12-19T09:01:32.976Z", "dateReserved": "2024-05-30T15:25:07.066Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-30T15:28:59.689Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311 (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867 (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd (string)

tags : [ »

0 : x_transferred (string)

]

}

3 : { »

url : https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a (string)

tags : [ »

0 : x_transferred (string)

]

}

4 : { »

url : https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 (string)

tags : [ »

0 : x_transferred (string)

]

}

5 : { »

url : https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb (string)

tags : [ »

0 : x_transferred (string)

]

}

6 : { »

url : https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4 (string)

tags : [ »

0 : x_transferred (string)

]

}

7 : { »

url : https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T03:43:49.884Z (string)

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 5.6 (number)

attackVector : PHYSICAL (string)

baseSeverity : MEDIUM (string)

vectorString : CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H (string)

integrityImpact : NONE (string)

userInteraction : NONE (string)

attackComplexity : HIGH (string)

availabilityImpact : HIGH (string)

privilegesRequired : LOW (string)

confidentialityImpact : HIGH (string)

}

1 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-36894 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-06-03T15:53:00.949597Z (string)

}

]

affected : [ »

0 : { »

cpes : [ »

0 : cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* (string)

]

vendor : linux (string)

product : linux_kernel (string)

versions : [ »

0 : { »

status : affected (string)

version : 2e4c7553cd6f (string)

lessThan : 73c05ad46bb4 (string)

versionType : custom (string)

}

]

defaultStatus : unknown (string)

}

1 : { »

cpes : [ »

0 : cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* (string)

]

vendor : linux (string)

product : linux_kernel (string)

versions : [ »

0 : { »

status : affected (string)

version : 2e4c7553cd6f (string)

lessThan : d74618308232 (string)

versionType : custom (string)

}

]

defaultStatus : unknown (string)

}

2 : { »

cpes : [ »

0 : cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* (string)

]

vendor : linux (string)

product : linux_kernel (string)

versions : [ »

0 : { »

status : affected (string)

version : 2e4c7553cd6f (string)

lessThan : 24729b307eef (string)

versionType : custom (string)

}

1 : { »

status : affected (string)

version : 2e4c7553cd6f (string)

lessThan : f71a53148ce3 (string)

versionType : custom (string)

}

2 : { »

status : affected (string)

version : 2e4c7553cd6f (string)

lessThan : 9e72ef59cbe6 (string)

versionType : custom (string)

}

3 : { »

status : affected (string)

version : 2e4c7553cd6f (string)

lessThan : e500b1c4e29a (string)

versionType : custom (string)

}

4 : { »

status : affected (string)

version : 2e4c7553cd6f (string)

lessThan : 3613e5023f09 (string)

versionType : custom (string)

}

5 : { »

status : affected (string)

version : 2e4c7553cd6f (string)

lessThan : a0fdccb1c9e0 (string)

versionType : custom (string)

}

6 : { »

status : affected (string)

version : 3.15 (string)

}

7 : { »

status : unaffected (string)

version : 0 (string)

lessThan : 3.15 (string)

versionType : custom (string)

}

8 : { »

status : unaffected (string)

version : 4.19.317 (string)

versionType : custom (string)

lessThanOrEqual : 4.20 (string)

}

9 : { »

status : unaffected (string)

version : 5.4.279 (string)

versionType : custom (string)

lessThanOrEqual : 5.5 (string)

}

10 : { »

status : unaffected (string)

version : 5.10.221 (string)

versionType : custom (string)

lessThanOrEqual : 5.11 (string)

}

11 : { »

status : unaffected (string)

version : 5.15.162 (string)

versionType : custom (string)

lessThanOrEqual : 5.16 (string)

}

12 : { »

status : unaffected (string)

version : 6.1.95 (string)

versionType : custom (string)

lessThanOrEqual : 6.2 (string)

}

13 : { »

status : unaffected (string)

version : 6.6.31 (string)

versionType : custom (string)

lessThanOrEqual : 6.7 (string)

}

14 : { »

status : unaffected (string)

version : 6.8.10 (string)

versionType : custom (string)

lessThanOrEqual : 6.9 (string)

}

15 : { »

status : unaffected (string)

version : 6.9 (string)

versionType : custom (string)

lessThanOrEqual : * (string)

}

]

defaultStatus : unknown (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : CWE (string)

cweId : CWE-362 (string)

description : CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (string)

}

]

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-06-03T16:04:02.070Z (string)

}

]

cna : { »

title : usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (string)

affected : [ »

0 : { »

repo : https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (string)

vendor : Linux (string)

product : Linux (string)

versions : [ »

0 : { »

status : affected (string)

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : f71a53148ce34898fef099b75386a3a9f4449311 (string)

versionType : git (string)

}

1 : { »

status : affected (string)

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : 9e72ef59cbe61cd1243857a6418ca92104275867 (string)

versionType : git (string)

}

2 : { »

status : affected (string)

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : e500b1c4e29ad0bd1c1332a1eaea2913627a92dd (string)

versionType : git (string)

}

3 : { »

status : affected (string)

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : 3613e5023f09b3308545e9d1acda86017ebd418a (string)

versionType : git (string)

}

4 : { »

status : affected (string)

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 (string)

versionType : git (string)

}

5 : { »

status : affected (string)

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : 73c05ad46bb4fbbdb346004651576d1c8dbcffbb (string)

versionType : git (string)

}

6 : { »

status : affected (string)

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : d7461830823242702f5d84084bcccb25159003f4 (string)

versionType : git (string)

}

7 : { »

status : affected (string)

version : 2e4c7553cd6f9c68bb741582dcb614edcbeca70f (string)

lessThan : 24729b307eefcd7c476065cd7351c1a018082c19 (string)

versionType : git (string)

}

]

programFiles : [ »

0 : drivers/usb/gadget/function/f_fs.c (string)

]

defaultStatus : unaffected (string)

}

1 : { »

repo : https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (string)

vendor : Linux (string)

product : Linux (string)

versions : [ »

0 : { »

status : affected (string)

version : 3.15 (string)

}

1 : { »

status : unaffected (string)

version : 0 (string)

lessThan : 3.15 (string)

versionType : semver (string)

}

2 : { »

status : unaffected (string)

version : 4.19.317 (string)

versionType : semver (string)

lessThanOrEqual : 4.19.* (string)

}

3 : { »

status : unaffected (string)

version : 5.4.279 (string)

versionType : semver (string)

lessThanOrEqual : 5.4.* (string)

}

4 : { »

status : unaffected (string)

version : 5.10.221 (string)

versionType : semver (string)

lessThanOrEqual : 5.10.* (string)

}

5 : { »

status : unaffected (string)

version : 5.15.162 (string)

versionType : semver (string)

lessThanOrEqual : 5.15.* (string)

}

6 : { »

status : unaffected (string)

version : 6.1.95 (string)

versionType : semver (string)

lessThanOrEqual : 6.1.* (string)

}

7 : { »

status : unaffected (string)

version : 6.6.31 (string)

versionType : semver (string)

lessThanOrEqual : 6.6.* (string)

}

8 : { »

status : unaffected (string)

version : 6.8.10 (string)

versionType : semver (string)

lessThanOrEqual : 6.8.* (string)

}

9 : { »

status : unaffected (string)

version : 6.9 (string)

versionType : original_commit_for_fix (string)

lessThanOrEqual : * (string)

}

]

programFiles : [ »

0 : drivers/usb/gadget/function/f_fs.c (string)

]

defaultStatus : affected (string)

}

]

references : [ »

0 : { »

url : https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311 (string)

}

1 : { »

url : https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867 (string)

}

2 : { »

url : https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd (string)

}

3 : { »

url : https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a (string)

}

4 : { »

url : https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 (string)

}

5 : { »

url : https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb (string)

}

6 : { »

url : https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4 (string)

}

7 : { »

url : https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19 (string)

}

]

x_generator : { »

engine : bippy-5f407fcff5a0 (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") (string)

}

]

providerMetadata : { »

orgId : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

shortName : Linux (string)

dateUpdated : 2024-12-19T09:01:32.976Z (string)

}

cveMetadata : { »

cveId : CVE-2024-36894 (string)

state : PUBLISHED (string)

dateUpdated : 2024-12-19T09:01:32.976Z (string)

dateReserved : 2024-05-30T15:25:07.066Z (string)

assignerOrgId : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

datePublished : 2024-05-30T15:28:59.689Z (string)

assignerShortName : Linux (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "60021762-BA95-4C90-A0C7-9570F479FFCA", "versionEndExcluding": "4.19.317", "versionStartIncluding": "3.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4E38E58-1B9F-4DF2-AD3D-A8BEAA2959D8", "versionEndExcluding": "5.4.279", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "659E1520-6345-41AF-B893-A7C0647585A0", "versionEndExcluding": "5.10.221", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "10A39ACC-3005-40E8-875C-98A372D1FFD5", "versionEndExcluding": "5.15.162", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D435765D-2766-44F5-B319-F713A13E35CE", "versionEndExcluding": "6.1.95", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDDB1F69-36AC-41C1-9192-E7CCEF5FFC00", "versionEndExcluding": "6.6.31", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A6B920C-8D8F-4130-86B4-AD334F4CF2E3", "versionEndExcluding": "6.8.10", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", "matchCriteriaId": "52048DDA-FC5A-4363-95A0-A6357B4D7F8C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*", "matchCriteriaId": "A06B2CCF-3F43-4FA9-8773-C83C3F5764B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*", "matchCriteriaId": "F850DCEC-E08B-4317-A33B-D2DCF39F601B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:*", "matchCriteriaId": "91326417-E981-482E-A5A3-28BC1327521B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\n\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC.  There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect.  For a DWC3 based implementation, the callstack looks\nlike the following:\n\n    DWC3 Gadget                               FFS Application\ndwc3_gadget_soft_disconnect()              ...\n  --> dwc3_stop_active_transfers()\n    --> dwc3_gadget_giveback(-ESHUTDOWN)\n      --> ffs_epfile_async_io_complete()   ffs_aio_cancel()\n        --> usb_ep_free_request()            --> usb_ep_dequeue()\n\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call.  This can\nlead to accessing a stale/hanging pointer.\n\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context.  Hence, leading\ninto a deadlock.\n\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock.  This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\n\nThis fix depends on\n  commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n  consistently\")"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: f_fs: corrige la ejecuci\u00f3n entre aio_cancel() y la solicitud AIO. Las aplicaciones basadas en FFS completas pueden utilizar la devoluci\u00f3n de llamada aio_cancel() para quitar de la cola las solicitudes USB pendientes enviadas al UDC. Existe un escenario en el que la aplicaci\u00f3n FFS emite una llamada de cancelaci\u00f3n de AIO, mientras el UDC maneja una desconexi\u00f3n suave. Para una implementaci\u00f3n basada en DWC3, la pila de llamadas se parece a la siguiente: Aplicaci\u00f3n DWC3 Gadget FFS dwc3_gadget_soft_disconnect() ... --&gt; dwc3_stop_active_transfers() --&gt; dwc3_gadget_giveback(-ESHUTDOWN) --&gt; ffs_epfile_async_io_complete() ffs_aio_cancel() --&gt; usb_ep_free_request () --&gt; usb_ep_dequeue() Actualmente no hay ning\u00fan bloqueo implementado entre el controlador de finalizaci\u00f3n de AIO y la cancelaci\u00f3n de AIO, por lo que el problema ocurre si la rutina de finalizaci\u00f3n se ejecuta en paralelo a una llamada de cancelaci\u00f3n de AIO proveniente de la aplicaci\u00f3n FFS. A medida que la llamada de finalizaci\u00f3n libera la solicitud USB (io_data-&gt;req), la aplicaci\u00f3n FFS tambi\u00e9n hace referencia a ella para la llamada usb_ep_dequeue(). Esto puede llevar a acceder a un puntero obsoleto/colgado. commit b566d38857fc (\"usb: gadget: f_fs: use io_data-&gt;status consistentemente\") reubic\u00f3 usb_ep_free_request() en ffs_epfile_async_io_complete(). Sin embargo, para implementar correctamente el bloqueo para mitigar este problema, el spinlock no se puede agregar a ffs_epfile_async_io_complete(), ya que usb_ep_dequeue() (si se elimina con \u00e9xito una solicitud USB) llamar\u00e1 al controlador de finalizaci\u00f3n del controlador de funci\u00f3n en el mismo contexto. De ah\u00ed que se llegue a un punto muerto. Solucione este problema moviendo usb_ep_free_request() de nuevo a ffs_user_copy_worker() y asegur\u00e1ndose de que establezca expl\u00edcitamente io_data-&gt;req en NULL despu\u00e9s de liberarlo dentro de ffs-&gt;eps_lock. Esto resuelve la condici\u00f3n de ejecuci\u00f3n anterior, ya que la rutina ffs_aio_cancel() no continuar\u00e1 intentando sacar de la cola una solicitud que ya ha sido liberada, o ffs_user_copy_work() no liberar\u00e1 la solicitud USB hasta que la cancelaci\u00f3n de AIO termine de hacer referencia a ella. Esta soluci\u00f3n depende de el commit b566d38857fc (\"usb: gadget: f_fs: use io_data-&gt;status consistentemente\")"}], "id": "CVE-2024-36894", "lastModified": "2025-04-01T18:34:56.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-30T16:15:12.857", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 60021762-BA95-4C90-A0C7-9570F479FFCA (string)

versionEndExcluding : 4.19.317 (string)

versionStartIncluding : 3.15 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : F4E38E58-1B9F-4DF2-AD3D-A8BEAA2959D8 (string)

versionEndExcluding : 5.4.279 (string)

versionStartIncluding : 4.20 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 659E1520-6345-41AF-B893-A7C0647585A0 (string)

versionEndExcluding : 5.10.221 (string)

versionStartIncluding : 5.5 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 10A39ACC-3005-40E8-875C-98A372D1FFD5 (string)

versionEndExcluding : 5.15.162 (string)

versionStartIncluding : 5.11 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : D435765D-2766-44F5-B319-F713A13E35CE (string)

versionEndExcluding : 6.1.95 (string)

versionStartIncluding : 5.16 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : CDDB1F69-36AC-41C1-9192-E7CCEF5FFC00 (string)

versionEndExcluding : 6.6.31 (string)

versionStartIncluding : 6.2 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 6A6B920C-8D8F-4130-86B4-AD334F4CF2E3 (string)

versionEndExcluding : 6.8.10 (string)

versionStartIncluding : 6.7 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:* (string)

matchCriteriaId : 22BEDD49-2C6D-402D-9DBF-6646F6ECD10B (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:* (string)

matchCriteriaId : DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37 (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:* (string)

matchCriteriaId : 52048DDA-FC5A-4363-95A0-A6357B4D7F8C (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:* (string)

matchCriteriaId : A06B2CCF-3F43-4FA9-8773-C83C3F5764B2 (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:* (string)

matchCriteriaId : F850DCEC-E08B-4317-A33B-D2DCF39F601B (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:* (string)

matchCriteriaId : 91326417-E981-482E-A5A3-28BC1327521B (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") (string)

}

1 : { »

lang : es (string)

value : En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: f_fs: corrige la ejecución entre aio_cancel() y la solicitud AIO. Las aplicaciones basadas en FFS completas pueden utilizar la devolución de llamada aio_cancel() para quitar de la cola las solicitudes USB pendientes enviadas al UDC. Existe un escenario en el que la aplicación FFS emite una llamada de cancelación de AIO, mientras el UDC maneja una desconexión suave. Para una implementación basada en DWC3, la pila de llamadas se parece a la siguiente: Aplicación DWC3 Gadget FFS dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request () --> usb_ep_dequeue() Actualmente no hay ningún bloqueo implementado entre el controlador de finalización de AIO y la cancelación de AIO, por lo que el problema ocurre si la rutina de finalización se ejecuta en paralelo a una llamada de cancelación de AIO proveniente de la aplicación FFS. A medida que la llamada de finalización libera la solicitud USB (io_data->req), la aplicación FFS también hace referencia a ella para la llamada usb_ep_dequeue(). Esto puede llevar a acceder a un puntero obsoleto/colgado. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistentemente") reubicó usb_ep_free_request() en ffs_epfile_async_io_complete(). Sin embargo, para implementar correctamente el bloqueo para mitigar este problema, el spinlock no se puede agregar a ffs_epfile_async_io_complete(), ya que usb_ep_dequeue() (si se elimina con éxito una solicitud USB) llamará al controlador de finalización del controlador de función en el mismo contexto. De ahí que se llegue a un punto muerto. Solucione este problema moviendo usb_ep_free_request() de nuevo a ffs_user_copy_worker() y asegurándose de que establezca explícitamente io_data->req en NULL después de liberarlo dentro de ffs->eps_lock. Esto resuelve la condición de ejecución anterior, ya que la rutina ffs_aio_cancel() no continuará intentando sacar de la cola una solicitud que ya ha sido liberada, o ffs_user_copy_work() no liberará la solicitud USB hasta que la cancelación de AIO termine de hacer referencia a ella. Esta solución depende de el commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistentemente") (string)

}

]

id : CVE-2024-36894 (string)

lastModified : 2025-04-01T18:34:56.940 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : PHYSICAL (string)

availabilityImpact : HIGH (string)

baseScore : 5.6 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 0.4 (number)

impactScore : 5.2 (number)

source : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

type : Secondary (string)

}

]

}

published : 2024-05-30T16:15:12.857 (string)

references : [ »

0 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19 (string)

}

1 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a (string)

}

2 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb (string)

}

3 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867 (string)

}

4 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 (string)

}

5 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4 (string)

}

6 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd (string)

}

7 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311 (string)

}

8 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19 (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a (string)

}

10 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb (string)

}

11 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867 (string)

}

12 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14 (string)

}

13 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4 (string)

}

14 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd (string)

}

15 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

]

url : https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311 (string)

}

]

sourceIdentifier : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

vulnStatus : Analyzed (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-362 (string)

}

]

source : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

type : Secondary (string)

}

]

}

Show plain JSON

{"bugzilla": {"description": "kernel: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", "id": "2284561", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2284561"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC.  There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect.  For a DWC3 based implementation, the callstack looks\nlike the following:\nDWC3 Gadget                               FFS Application\ndwc3_gadget_soft_disconnect()              ...\n--> dwc3_stop_active_transfers()\n--> dwc3_gadget_giveback(-ESHUTDOWN)\n--> ffs_epfile_async_io_complete()   ffs_aio_cancel()\n--> usb_ep_free_request()            --> usb_ep_dequeue()\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call.  This can\nlead to accessing a stale/hanging pointer.\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context.  Hence, leading\ninto a deadlock.\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock.  This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\nThis fix depends on\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\nconsistently\")"], "name": "CVE-2024-36894", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36894\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36894\nhttps://lore.kernel.org/linux-cve-announce/2024053034-CVE-2024-36894-b44b@gregkh/T"], "threat_severity": "Low"}

{

bugzilla : { »

description : kernel: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (string)

id : 2284561 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2284561 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 4.4 (string)

cvss3_scoring_vector : CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (string)

status : draft (string)

}

cwe : CWE-362 (string)

details : [ »

0 : In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") (string)

]

name : CVE-2024-36894 (string)

package_state : [ »

0 : { »

cpe : cpe:/o:redhat:enterprise_linux:6 (string)

fix_state : Not affected (string)

package_name : kernel (string)

product_name : Red Hat Enterprise Linux 6 (string)

}

1 : { »

cpe : cpe:/o:redhat:enterprise_linux:7 (string)

fix_state : Not affected (string)

package_name : kernel (string)

product_name : Red Hat Enterprise Linux 7 (string)

}

2 : { »

cpe : cpe:/o:redhat:enterprise_linux:7 (string)

fix_state : Not affected (string)

package_name : kernel-rt (string)

product_name : Red Hat Enterprise Linux 7 (string)

}

3 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : kernel (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

4 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : kernel-rt (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

5 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : kernel (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

6 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : kernel-rt (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

]

public_date : 2024-05-30T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2024-36894 https://nvd.nist.gov/vuln/detail/CVE-2024-36894 https://lore.kernel.org/linux-cve-announce/2024053034-CVE-2024-36894-b44b@gregkh/T (string)

]

threat_severity : Low (string)

}

Metrics

Attack Vector Physical

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Physical

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object