Linux Kernel USB Gadget Function f_ncm Lifecycle Management Vulnerability

A vulnerability exists in the Linux kernel's USB gadget function for Network Control Model (NCM). The issue arises because the network device's lifecycle is not properly aligned with the USB connection's bind and unbind events. Currently, the network interface is created when a configuration instance is allocated and deleted when the instance is freed, which can lead to problems. When the USB gadget is disconnected, the network device may still be active, causing it to reference a now-freed gadget device. This can result in dangling sysfs links and NULL pointer dereferences, as the system tries to access the released gadget device. The vulnerability has been addressed by modifying the allocation and deallocation of the network device to correspond with the USB connection's state, ensuring that the network interface only exists when the gadget function is actively bound to a configuration. Additionally, user-provided options can now be cached and applied to the network device upon creation, further enhancing the functionality and reliability of the USB gadget NCM implementation.

Impact

The vulnerability can lead to a NULL pointer dereference when the USB gadget is disconnected, causing a kernel crash. It also creates dangling symlinks in the sysfs, which can confuse users and scripts that rely on accurate device information.

Reproduction

To reproduce this vulnerability, create a USB gadget function using the NCM protocol and bind it to a configuration. After the function is bound, unbind it and disconnect the USB gadget. The network device may still be active, leading to a NULL pointer dereference when the system tries to access the freed gadget device. This can be observed by checking the sysfs for the network device, which will show a dangling symlink that points to a non-existent location.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.