296,202
Total vulnerabilities in the database
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being freed up from functionfs_unbind.
Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.
Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex).
| Software | From | Fixed in |
|---|---|---|
| linux / linux_kernel | 6.2-rc1 | 6.2-rc1.x |
| linux / linux_kernel | 6.2-rc2 | 6.2-rc2.x |
| linux / linux_kernel | 6.2-rc3 | 6.2-rc3.x |
| linux / linux_kernel | 6.2-rc4 | 6.2-rc4.x |
| linux / linux_kernel | 5.11 | 5.15.91 |
| linux / linux_kernel | 5.16 | 6.1.9 |
| linux / linux_kernel | 2.6.35 | 4.14.305 |
| linux / linux_kernel | 4.15 | 4.19.272 |
| linux / linux_kernel | 4.20 | 5.4.231 |
| linux / linux_kernel | 5.5 | 5.10.166 |