ghsa-cx6c-r38j-fxp8
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Run unregister_netdev() before unbind() again
Commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()") sought to fix a use-after-free on disconnect of USB Ethernet adapters.
It turns out that a different fix is necessary to address the issue: https://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/
So the commit was not necessary.
The commit made binding and unbinding of USB Ethernet asymmetrical: Before, usbnet_probe() first invoked the ->bind() callback and then register_netdev(). usbnet_disconnect() mirrored that by first invoking unregister_netdev() and then ->unbind().
Since the commit, the order in usbnet_disconnect() is reversed and no longer mirrors usbnet_probe().
One consequence is that a PHY disconnected (and stopped) in ->unbind() is afterwards stopped once more by unregister_netdev() as it closes the netdev before unregistering. That necessitates a contortion in ->stop() because the PHY may only be stopped if it hasn't already been disconnected.
Reverting the commit allows making the call to phy_stop() unconditional in ->stop().
{ "affected": [], "aliases": [ "CVE-2022-49501" ], "database_specific": { "cwe_ids": [ "CWE-416" ], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2025-02-26T07:01:26Z", "severity": "HIGH" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Run unregister_netdev() before unbind() again\n\nCommit 2c9d6c2b871d (\"usbnet: run unbind() before unregister_netdev()\")\nsought to fix a use-after-free on disconnect of USB Ethernet adapters.\n\nIt turns out that a different fix is necessary to address the issue:\nhttps://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/\n\nSo the commit was not necessary.\n\nThe commit made binding and unbinding of USB Ethernet asymmetrical:\nBefore, usbnet_probe() first invoked the -\u003ebind() callback and then\nregister_netdev(). usbnet_disconnect() mirrored that by first invoking\nunregister_netdev() and then -\u003eunbind().\n\nSince the commit, the order in usbnet_disconnect() is reversed and no\nlonger mirrors usbnet_probe().\n\nOne consequence is that a PHY disconnected (and stopped) in -\u003eunbind()\nis afterwards stopped once more by unregister_netdev() as it closes the\nnetdev before unregistering. That necessitates a contortion in -\u003estop()\nbecause the PHY may only be stopped if it hasn\u0027t already been\ndisconnected.\n\nReverting the commit allows making the call to phy_stop() unconditional\nin -\u003estop().", "id": "GHSA-cx6c-r38j-fxp8", "modified": "2025-02-27T21:32:14Z", "published": "2025-02-27T21:32:14Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49501" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/6d5deb242874d924beccf7eb3cef04c1c3b0da79" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/969a1b3ea3cb7d58a16fe12fd1b04bfc0ea40509" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/d1408f6b4dd78fb1b9e26bcf64477984e5f85409" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/fbda837107f9bd4ec658d2aa88c6856dba606f06" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.