Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

017 - Ir a la línea de ayuda en Ciberseguridad    Ir a Agenda     Ir a Sala de prensa     Ir a suscripción de boletines

Ir al buscador

CVE-2022-50704

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
24/12/2025
Última modificación:
29/12/2025

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: gadget: Fix use-after-free during usb config switch<br /> <br /> In the process of switching USB config from rndis to other config,<br /> if the hardware does not support the -&gt;pullup callback, or the<br /> hardware encounters a low probability fault, both of them may cause<br /> the -&gt;pullup callback to fail, which will then cause a system panic<br /> (use after free).<br /> <br /> The gadget drivers sometimes need to be unloaded regardless of the<br /> hardware&amp;#39;s behavior.<br /> <br /> Analysis as follows:<br /> =======================================================================<br /> (1) write /config/usb_gadget/g1/UDC "none"<br /> <br /> gether_disconnect+0x2c/0x1f8<br /> rndis_disable+0x4c/0x74<br /> composite_disconnect+0x74/0xb0<br /> configfs_composite_disconnect+0x60/0x7c<br /> usb_gadget_disconnect+0x70/0x124<br /> usb_gadget_unregister_driver+0xc8/0x1d8<br /> gadget_dev_desc_UDC_store+0xec/0x1e4<br /> <br /> (2) rm /config/usb_gadget/g1/configs/b.1/f1<br /> <br /> rndis_deregister+0x28/0x54<br /> rndis_free+0x44/0x7c<br /> usb_put_function+0x14/0x1c<br /> config_usb_cfg_unlink+0xc4/0xe0<br /> configfs_unlink+0x124/0x1c8<br /> vfs_unlink+0x114/0x1dc<br /> <br /> (3) rmdir /config/usb_gadget/g1/functions/rndis.gs4<br /> <br /> panic+0x1fc/0x3d0<br /> do_page_fault+0xa8/0x46c<br /> do_mem_abort+0x3c/0xac<br /> el1_sync_handler+0x40/0x78<br /> 0xffffff801138f880<br /> rndis_close+0x28/0x34<br /> eth_stop+0x74/0x110<br /> dev_close_many+0x48/0x194<br /> rollback_registered_many+0x118/0x814<br /> unregister_netdev+0x20/0x30<br /> gether_cleanup+0x1c/0x38<br /> rndis_attr_release+0xc/0x14<br /> kref_put+0x74/0xb8<br /> configfs_rmdir+0x314/0x374<br /> <br /> If gadget-&gt;ops-&gt;pullup() return an error, function rndis_close() will be<br /> called, then it will causes a use-after-free problem.<br /> =======================================================================

Impacto

Referencias a soluciones, herramientas e información