Maciej Żenczykowski

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the handling of zero block length packets in the Linux kernel's USB gadget ncm implementation. When connecting to a Linux host with CDC NCM NTB DEF SIZE TX set to 65536, short packets with block length zero but containing valid datagrams may be received. According to the NCM spec, if wBlockLength = 0x0000, the block is terminated by a short packet, and the USB transfer must still be shorter than dwNtbInMaxSize or dwNtbOutMaxSize. However, the current implementation may process the same NTB infinitely if the block length reads zero, leading to a crash. The fix involves bailing out if the block length reads zero. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.10.149-android13 **Description** The vulnerability is related to a potential NULL pointer dereference in the `ncm bitrate()` function. This issue can cause a crash when the `cdev->gadget` pointer is NULL, leading to a denial of service. The crash occurs when the `ncm do notify()` function attempts to read the `max speed` value from the `cdev->gadget` structure, which is NULL. The vulnerability is triggered by a crash report from an aarch64 GKI 5.10.149-android13 running device. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the potential NULL pointer dereference in `ncm bitrate()`. As a temporary workaround, consider disabling the `ncm bitrate()` function or restricting access to the vulnerable code path until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference in the Linux kernel when a gadget driver calls `usb assign descriptors()` with a NULL descriptor for super-speed-plus and is then used on a max 10gbps configuration. This can cause the kernel to crash when a 10gbps capable device port + cable + host port combination shows up. The `usb assign descriptors()` function is called with 5 parameters, including `usb descriptor header` for full-speed, high-speed, super-speed, and super-speed-plus. The differences between full/high/super-speed descriptors are substantial due to changes in the maximum USB block size and other differences in the specs. However, the difference between 5 and 10Gbps descriptors may be minimal, and in many cases, the same tuning is sufficient. The fix is to use the 5gbps descriptor as the 10gbps descriptor if a 10gbps descriptor is not provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference in the Linux kernel's USB gadget functionality when using 10gbps cabling. This is avoided by reusing the 5gbps config for 10gbps, which prevents the null pointer dereference in functions such as `f ecm`, `f eem`, `f hid`, `f loopback`, `f printer`, `f rndis`, `f serial`, `f sourcesink`, `f subset`, and `f tcm`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.