CVE-2021-46986

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability has been resolved in the Linux kernel related to the usb: dwc3: gadget. The issue arises when the gadget structure is freed before freeing the endpoints, resulting in a dangling pointer situation. This occurs because the endpoints created in dwc3 gadget init endpoints() have their dep->endpoint.ep list members chained off the list head anchored at dwc->gadget->ep list. When dwc->gadget is freed, the first dwc3 ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3 ep at the tail of the list. The dwc3 gadget free endpoints() that follows will result in a use-after-free when it calls list del(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown callback for dwc3") also exposes this as a panic during shutdown.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.