CVE-2022-50704

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel's USB gadget functionality that can lead to a use-after-free condition during a USB configuration switch. Specifically, the issue occurs when switching from rndis to another configuration, and the hardware's pullup callback fails, or encounters a fault. This can result in a system panic. The vulnerability is triggered when the gadget->ops->pullup() function returns an error, leading to a use-after-free problem in the rndis close() function. The following actions can trigger the issue: writing 'none' to /config/usb gadget/g1/UDC, removing a file from /config/usb gadget/g1/configs/b.1/, or removing a directory from /config/usb gadget/g1/functions/. The analysis shows call stacks involving functions like gether disconnect, rndis disable, composite disconnect, configfs composite disconnect, usb gadget disconnect, usb gadget unregister driver, gadget dev desc UDC store, rndis deregister, rndis free, config usb cfg unlink, configfs unlink, vfs unlink, panic, do page fault, do mem abort, el1 sync handler, rndis close, eth stop, dev close many, rollback registered many, unregister netdev, gether cleanup, rndis attr release, kref put, and configfs rmdir.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.