CVE-2025-38558

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: uvc: Initialize frame-based format color matching descriptor<br /> <br /> Fix NULL pointer crash in uvcg_framebased_make due to uninitialized color<br /> matching descriptor for frame-based format which was added in<br /> commit f5e7bdd34aca ("usb: gadget: uvc: Allow creating new color matching<br /> descriptors") that added handling for uncompressed and mjpeg format.<br /> <br /> Crash is seen when userspace configuration (via configfs) does not<br /> explicitly define the color matching descriptor. If color_matching is not<br /> found, config_group_find_item() returns NULL. The code then jumps to<br /> out_put_cm, where it calls config_item_put(color_matching);. If<br /> color_matching is NULL, this will dereference a null pointer, leading to a<br /> crash.<br /> <br /> [ 2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c<br /> [ 2.756273] Mem abort info:<br /> [ 2.760080] ESR = 0x0000000096000005<br /> [ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 2.771068] SET = 0, FnV = 0<br /> [ 2.771069] EA = 0, S1PTW = 0<br /> [ 2.771070] FSC = 0x05: level 1 translation fault<br /> [ 2.771071] Data abort info:<br /> [ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000<br /> [ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000<br /> [ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000<br /> [ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP<br /> [ 2.771084] Dumping ftrace buffer:<br /> [ 2.771085] (ftrace buffer empty)<br /> [ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15<br /> [ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)<br /> [ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc<br /> [ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c<br /> [ 2.771146] sp : ffffffc08140bbb0<br /> [ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250<br /> [ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768<br /> [ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48<br /> [ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00<br /> [ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250<br /> [ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615<br /> [ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0<br /> [ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a<br /> [ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000<br /> [ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000<br /> [ 2.771156] Call trace:<br /> [ 2.771157] __uvcg_fill_strm+0x198/0x2cc<br /> [ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c<br /> [ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290<br /> [ 2.771159] configfs_symlink+0x1f8/0x630<br /> [ 2.771161] vfs_symlink+0x114/0x1a0<br /> [ 2.771163] do_symlinkat+0x94/0x28c<br /> [ 2.771164] __arm64_sys_symlinkat+0x54/0x70<br /> [ 2.771164] invoke_syscall+0x58/0x114<br /> [ 2.771166] el0_svc_common+0x80/0xe0<br /> [ 2.771168] do_el0_svc+0x1c/0x28<br /> [ 2.771169] el0_svc+0x3c/0x70<br /> [ 2.771172] el0t_64_sync_handler+0x68/0xbc<br /> [ 2.771173] el0t_64_sync+0x1a8/0x1ac<br /> <br /> Initialize color matching descriptor for frame-based format to prevent<br /> NULL pointer crash by mirroring the handling done for uncompressed and<br /> mjpeg formats.