In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error
When ncm function is working and then stop usb0 interface for link down, ethstop() is called. At this piont, accidentally if usb transport error should happen in usbepenable(), 'inep' and/or 'out_ep' may not be enabled.
After that, ncmdisable() is called to disable for ncm unbind but getherdisconnect() is never called since 'in_ep' is not enabled.
As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL.
And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object.
Therefore, once usb0 interface is up and ethstartxmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory.
[function unlink via configfs] usb0: ethstop dev->portusb=ffffff9b179c3200 --> error happens in usbepenable(). NCM: ncmdisable: ncm=ffffff9b179c3200 --> no getherdisconnect() since ncm->port.inep->enabled is false. NCM: ncmunbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm
[function link via configfs] NCM: ncmalloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncmbind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncmsetalt: ncm=ffffff9ac4f8a000 alt=0 usb0: ethopen dev->portusb=ffffff9b179c3200 <-- previous released ncm usb0: ethstart dev->portusb=ffffff9b179c3200 <-- ethstartxmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f
This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncmdisable() to call getherdisconnect() to deassociate 'dev->portusb'. It's more reasonable to check 'ncm->netdev' to call getherconnect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established.