CVE-2021-47267

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: fix various gadget panics on 10gbps cabling<br /> <br /> usb_assign_descriptors() is called with 5 parameters,<br /> the last 4 of which are the usb_descriptor_header for:<br /> full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),<br /> high-speed (USB2.0 - 480Mbps),<br /> super-speed (USB3.0 - 5Gbps),<br /> super-speed-plus (USB3.1 - 10Gbps).<br /> <br /> The differences between full/high/super-speed descriptors are usually<br /> substantial (due to changes in the maximum usb block size from 64 to 512<br /> to 1024 bytes and other differences in the specs), while the difference<br /> between 5 and 10Gbps descriptors may be as little as nothing<br /> (in many cases the same tuning is simply good enough).<br /> <br /> However if a gadget driver calls usb_assign_descriptors() with<br /> a NULL descriptor for super-speed-plus and is then used on a max 10gbps<br /> configuration, the kernel will crash with a null pointer dereference,<br /> when a 10gbps capable device port + cable + host port combination shows up.<br /> (This wouldn&amp;#39;t happen if the gadget max-speed was set to 5gbps, but<br /> it of course defaults to the maximum, and there&amp;#39;s no real reason to<br /> artificially limit it)<br /> <br /> The fix is to simply use the 5gbps descriptor as the 10gbps descriptor,<br /> if a 10gbps descriptor wasn&amp;#39;t provided.<br /> <br /> Obviously this won&amp;#39;t fix the problem if the 5gbps descriptor is also<br /> NULL, but such cases can&amp;#39;t be so trivially solved (and any such gadgets<br /> are unlikely to be used with USB3 ports any way).