2.7 KiB
CVE-2025-22023
Description
In the Linux kernel, the following vulnerability has been resolved:usb: xhci: Don't skip on Stopped - Length InvalidUp until commit d56b0b2ab142 ("usb: xhci: ensure skipped isoc TDs arereturned when isoc ring is stopped") in v6.11, the driver didn't skipmissed isochronous TDs when handling Stoppend and Stopped - LengthInvalid events. Instead, it erroneously cleared the skip flag, whichwould cause the ring to get stuck, as future events won't match themissed TD which is never removed from the queue until it's cancelled.This buggy logic seems to have been in place substantially unchangedsince the 3.x series over 10 years ago, which probably speaks firstand foremost about relative rarity of this case in normal usage, butby the spec I see no reason why it shouldn't be possible.After d56b0b2ab142, TDs are immediately skipped when handling thoseStopped events. This poses a potential problem in case of Stopped -Length Invalid, which occurs either on completed TDs (likely alreadygiven back) or Link and No-Op TRBs. Such event won't be recognizedas matching any TD (unless it's the rare Link TRB inside a TD) andwill result in skipping all pending TDs, giving them back possiblybefore they are done, risking isoc data loss and maybe UAF by HW.As a compromise, don't skip and don't clear the skip flag on thiskind of event. Then the next event will skip missed TDs. A downsideof not handling Stopped - Length Invalid on a Link inside a TD isthat if the TD is cancelled, its actual length will not be updatedto account for TRBs (silently) completed before the TD was stopped.I had no luck producing this sequence of completion events so thereis no compelling demonstration of any resulting disaster. It may bea very rare, obscure condition. The sole motivation for this patchis that if such unlikely event does occur, I'd rather risk reportinga cancelled partially done isoc frame as empty than gamble with UAF.This will be fixed more properly by looking at Stopped event's TRBpointer when making skipping decisions, but such rework is unlikelyto be backported to v6.12, which will stay around for a few years.
POC
Reference
No PoCs from references.