DEBIAN-CVE-2021-46986

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2021-46986

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2021-46986.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2021-46986

Upstream

CVE-2021-46986

Published

2024-02-28T09:15:37.540Z

Modified

2025-11-19T01:08:48.630437Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Free gadget structure only after freeing endpoints As part of commit e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") the dwc3gadgetrelease() was added which will free the dwc->gadget structure upon the device's removal when usbdelgadgetudc() is called in dwc3gadgetexit(). However, simply freeing the gadget results a dangling pointer situation: the endpoints created in dwc3gadgetinitendpoints() have their dep->endpoint.eplist members chained off the listhead anchored at dwc->gadget->eplist. Thus when dwc->gadget is freed, the first dwc3ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3ep at the tail of the list. The dwc3gadgetfreeendpoints() that follows will result in a use-after-free when it calls listdel(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown callback for dwc3") also exposes this as a panic during shutdown. There are a few possibilities to fix this. One could be to perform a listdel() of the gadget->eplist itself which removes it from the rest of the dwc3ep chain. Another approach is what this patch does, by splitting up the usbdelgadgetudc() call into its separate "del" and "put" components. This allows dwc3gadgetfreeendpoints() to be called before the gadget is finally freed with usbputgadget().

References

https://security-tracker.debian.org/tracker/CVE-2021-46986

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2021-46986.json"

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2021-46986.json"

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2021-46986.json"

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2021-46986.json"