Linux Kernel USB Gadget Function Race Condition Vulnerability Leading to Null Pointer Dereference

A race condition vulnerability has been identified in the Linux kernel's USB gadget function, specifically within the 'f_fs' function file. This issue arises when the 'ffs_func_eps_enable' function is executed concurrently with 'ffs_data_reset', creating a timing conflict. The 'ffs_data_clear' function, called during 'ffs_data_reset', nullifies the 'epfiles' pointer before resetting the 'eps_count', which can cause a null pointer dereference. This occurs when 'ffs_func_eps_enable' tries to access 'epfile->ep' after 'usb_ep_enable' has been successfully executed. The vulnerability is present in the Linux kernel stable tree and affects several versions and ranges.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a crash or denial of service condition by interrupting the normal operation of the USB gadget function.

Reproduction

To reproduce this vulnerability, enable a USB gadget function that uses the 'f_fs' function file. While the 'ffs_func_eps_enable' function is running, initiate a 'ffs_data_reset' operation. The race condition will cause 'ffs_data_clear' to set 'epfiles' to NULL before 'eps_count' is reset, creating a null pointer dereference when 'ffs_func_eps_enable' attempts to access the 'epfile' after 'usb_ep_enable' has been called.

Remediation

The vulnerability has been addressed by adding null pointer handling for the 'epfiles' in the 'ffs_func_eps_enable' function. Users should update to the latest version of the Linux kernel where this fix has been applied.