CVE-2024-27405

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs<br /> <br /> It is observed sometimes when tethering is used over NCM with Windows 11<br /> as host, at some instances, the gadget_giveback has one byte appended at<br /> the end of a proper NTB. When the NTB is parsed, unwrap call looks for<br /> any leftover bytes in SKB provided by u_ether and if there are any pending<br /> bytes, it treats them as a separate NTB and parses it. But in case the<br /> second NTB (as per unwrap call) is faulty/corrupt, all the datagrams that<br /> were parsed properly in the first NTB and saved in rx_list are dropped.<br /> <br /> Adding a few custom traces showed the following:<br /> [002] d..1 7828.532866: dwc3_gadget_giveback: ep1out:<br /> req 000000003868811a length 1025/16384 zsI ==&gt; 0<br /> [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025<br /> [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342<br /> [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67<br /> [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400<br /> [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10<br /> [002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames<br /> <br /> In this case, the giveback is of 1025 bytes and block length is 1024.<br /> The rest 1 byte (which is 0x00) won&amp;#39;t be parsed resulting in drop of<br /> all datagrams in rx_list.<br /> <br /> Same is case with packets of size 2048:<br /> [002] d..1 7828.557948: dwc3_gadget_giveback: ep1out:<br /> req 0000000011dfd96e length 2049/16384 zsI ==&gt; 0<br /> [002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342<br /> [002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800<br /> <br /> Lecroy shows one byte coming in extra confirming that the byte is coming<br /> in from PC:<br /> <br /> Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590)<br /> - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590)<br /> --- Packet 4063861<br /> Data(1024 bytes)<br /> Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590)<br /> --- Packet 4063863<br /> Data(1 byte)<br /> Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722)<br /> <br /> According to Windows driver, no ZLP is needed if wBlockLength is non-zero,<br /> because the non-zero wBlockLength has already told the function side the<br /> size of transfer to be expected. However, there are in-market NCM devices<br /> that rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize.<br /> To deal with such devices, it pads an extra 0 at end so the transfer is no<br /> longer multiple of wMaxPacketSize.