CVE-2023-52855

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.5

Description The vulnerability is related to a possible NULL pointer dereference caused by driver concurrency in the Linux kernel's dwc2 component. When the functions dwc2 hcd urb enqueue() and dwc2 hcd urb dequeue() are executed concurrently, the NULL check of urb->hcpriv can be executed before urb->hcpriv = NULL. After urb->hcpriv is NULL, it can be used in the function call to dwc2 hcd urb dequeue(), which can cause a NULL pointer dereference. This issue was found using an experimental static analysis tool that analyzes locking APIs to extract function pairs that can be concurrently executed and identifies possible concurrency bugs.

Recommendations To fix this possible bug, urb->hcpriv = NULL should be executed with holding the lock hsotg->lock. As a temporary workaround, consider disabling the dwc2 hcd urb enqueue() and dwc2 hcd urb dequeue() functions until a patch is available. Restrict access to the dwc2 hcd urb dequeue() function to minimize the risk of exploitation. Avoid using the urb->hcpriv variable in the affected API endpoints until the issue is resolved. Apply the patch that executes urb->hcpriv = NULL with holding the lock hsotg->lock to fix the vulnerability.