CVE-2024-26600 - Linux Kernel Vulnerability Resolved: Phy-omap-usb2 NULL Pointer Dereference

A vulnerability within the Linux kernel has been discovered and resolved, concerning phy: ti: phy-omap-usb2. The issue consists of a NULL pointer dereference when operating with an external phy, caused by the absence of implementation for the send_srp() function. This article discusses the details of the exploit, sharing a code snippet and links to the original references.

The vulnerability arises when an idle Ethernet gadget triggers a wakeup, for example

configfs-gadget.g1 gadget.: ECM Suspend
configfs-gadget.g1 gadget.: Port suspended. Triggering wakeup
...
Unable to handle kernel NULL pointer dereference at virtual address 00000000 when executing ...
PC is at x
LR is at musb_gadget_wakeup + x1d4/x254 [musb_hdrc]
...
musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup + x1c/x3c [udc_core]
usb_gadget_wakeup [udc_core] from eth_start_xmit + x3b/x3d4 [u_ether]
eth_start_xmit [u_ether] from dev_hard_start_xmit + x94/x24c
dev_hard_start_xmit from sch_direct_xmit + x104/x2e4
sch_direct_xmit from __dev_queue_xmit + x334/xd88
__dev_queue_xmit from arp_solicit + xf/x268
arp_solicit from neigh_probe + x54/x7c
neigh_probe from __neigh_event_send + x22c/x47c
__neigh_event_send from neigh_resolve_output + x14c/x1c
neigh_resolve_output from ip_finish_output2 + x1c8/x628
ip_finish_output2 from ip_send_skb + x40/xd8
ip_send_skb from udp_send_skb + x124/x340
udp_send_skb from udp_sendmsg + x780/x984
udp_sendmsg from __sys_sendto + xd8/x158
__sys_sendto from ret_fast_syscall + x/x58

To fix the issue, a check for the send_srp() and set_vbus() functions is required before calling them. In cases involving USB peripheral only, both functions could be NULL.

Here is a code snippet that checks for the presence of these functions before calling them

if (musb->phy->send_srp && musb->phy->set_vbus) {
    musb->phy->send_srp(musb->phy);
    musb->phy->set_vbus(musb->phy, 1);
}

- musb: Fix NULL pointer dereference for SRP

Make sure to update your Linux kernel to include this patch and protect your system against any potential exploits based on this vulnerability.

Timeline

Published on: 02/26/2024 16:27:59 UTC
Last modified on: 04/17/2024 18:29:25 UTC