CVE-2022-49299

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.18.0-rc5-next-20220504

Description A vulnerability in the Linux kernel has been identified, where the UDC driver incorrectly resets the gadget's driver internals, specifically the driver->bus entry. This issue is triggered by a change in the gadget subsystem, which introduced its own bus. The vulnerability leads to a NULL pointer dereference, causing a kernel panic. The error occurs when the module add driver function is called, resulting in a crash.

Recommendations For Linux kernel versions prior to 5.18.0-rc5-next-20220504, the recommended fix is to remove the driver->bus entry reset in the UDC driver to prevent the NULL pointer dereference. This can be achieved by modifying the dwc2 gadget driver to avoid touching the gadget's driver internals, especially the driver->bus entry. As a temporary workaround, consider disabling the dwc2 gadget driver until a patch is available.