CVE-2025-21776

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: hub: Ignore non-compliant devices with too many configs or interfaces<br /> <br /> Robert Morris created a test program which can cause<br /> usb_hub_to_struct_hub() to dereference a NULL or inappropriate<br /> pointer:<br /> <br /> Oops: general protection fault, probably for non-canonical address<br /> 0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI<br /> CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14<br /> Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021<br /> Workqueue: usb_hub_wq hub_event<br /> RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110<br /> ...<br /> Call Trace:<br /> <br /> ? die_addr+0x31/0x80<br /> ? exc_general_protection+0x1b4/0x3c0<br /> ? asm_exc_general_protection+0x26/0x30<br /> ? usb_hub_adjust_deviceremovable+0x78/0x110<br /> hub_probe+0x7c7/0xab0<br /> usb_probe_interface+0x14b/0x350<br /> really_probe+0xd0/0x2d0<br /> ? __pfx___device_attach_driver+0x10/0x10<br /> __driver_probe_device+0x6e/0x110<br /> driver_probe_device+0x1a/0x90<br /> __device_attach_driver+0x7e/0xc0<br /> bus_for_each_drv+0x7f/0xd0<br /> __device_attach+0xaa/0x1a0<br /> bus_probe_device+0x8b/0xa0<br /> device_add+0x62e/0x810<br /> usb_set_configuration+0x65d/0x990<br /> usb_generic_driver_probe+0x4b/0x70<br /> usb_probe_device+0x36/0xd0<br /> <br /> The cause of this error is that the device has two interfaces, and the<br /> hub driver binds to interface 1 instead of interface 0, which is where<br /> usb_hub_to_struct_hub() looks.<br /> <br /> We can prevent the problem from occurring by refusing to accept hub<br /> devices that violate the USB spec by having more than one<br /> configuration or interface.