In the Linux kernel, the following vulnerability has been resolved:
usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
The ChipIdea UDC driver can encounter "not page aligned sg buffer"
errors when a USB device is reconnected after being disconnected
during an active transfer. This occurs because _ep_nuke() returns
requests to the gadget layer without properly unmapping DMA buffers
or cleaning up scatter-gather bounce buffers.
Root cause:
When a disconnect happens during a multi-segment DMA transfer, the
request's num_mapped_sgs field and sgt.sgl pointer remain set with
stale values. The request is returned to the gadget driver with status
-ESHUTDOWN but still has active DMA state. If the gadget driver reuses
this request on reconnect without reinitializing it, the stale DMA
state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero
num_mapped_sgs) and attempt to use freed/invalid DMA addresses,
leading to alignment errors and potential memory corruption.
The normal completion path via _hardware_dequeue() properly calls
usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before
returning the request. The _ep_nuke() path must do the same cleanup
to ensure requests are returned in a clean, reusable state.
Fix:
Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror
the cleanup sequence in _hardware_dequeue():
- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set
- Call sglist_do_debounce() with copy=false if bounce buffer exists
This ensures that when requests are returned due to endpoint shutdown,
they don't retain stale DMA mappings. The 'false' parameter to
sglist_do_debounce() prevents copying data back (appropriate for
shutdown path where transfer was aborted).
A memory corruption vulnerability in the Linux kernel's ChipIdea USB Device Controller driver can occur when USB devices are reconnected after disconnection during active transfers. The vulnerability stems from improper cleanup of DMA buffers and scatter-gather bounce buffers in the _ep_nuke() function, potentially leading to use-after-free conditions and memory corruption. This affects systems using ChipIdea UDC controllers, particularly embedded and IoT devices common in Saudi infrastructure.
Immediate Actions:
1. Identify systems running Linux kernel with ChipIdea UDC driver (check: grep -r 'chipidea' /sys/devices or lsmod | grep ci_hdrc)
2. Determine kernel version: uname -r
3. Check if affected: versions prior to the patched release
Patching Guidance:
1. Apply Linux kernel security update containing the ChipIdea UDC fix to _ep_nuke() function
2. For RHEL/CentOS: yum update kernel
3. For Ubuntu/Debian: apt update && apt upgrade linux-image
4. For embedded systems: contact device manufacturer for firmware update
5. Test USB device reconnection scenarios after patching
Compensating Controls (if immediate patching unavailable):
1. Disable USB device hot-plugging where operationally feasible
2. Implement strict USB device whitelist policies
3. Monitor system logs for USB-related errors: journalctl -u kernel | grep -i usb
4. Restrict USB port access to authorized personnel only
5. Implement network segmentation for devices with ChipIdea controllers
Detection Rules:
1. Monitor for kernel messages: 'not page aligned sg buffer' errors
2. Alert on repeated USB device connection/disconnection cycles
3. Track memory corruption indicators: kernel panics, segmentation faults
4. Monitor dmesg for: 'usb.*disconnect' followed by 'usb.*connect' within short timeframe
5. Implement IDS signatures for abnormal USB traffic patterns
الإجراءات الفورية:
1. تحديد الأنظمة التي تعمل بنواة Linux مع برنامج تشغيل ChipIdea UDC (تحقق: grep -r 'chipidea' /sys/devices أو lsmod | grep ci_hdrc)
2. تحديد إصدار النواة: uname -r
3. التحقق من التأثر: الإصدارات السابقة للإصدار المصحح
إرشادات التصحيح:
1. تطبيق تحديث أمان نواة Linux يحتوي على إصلاح ChipIdea UDC لدالة _ep_nuke()
2. لـ RHEL/CentOS: yum update kernel
3. لـ Ubuntu/Debian: apt update && apt upgrade linux-image
4. للأنظمة المدمجة: اتصل بمصنع الجهاز للحصول على تحديث البرنامج الثابت
5. اختبر سيناريوهات إعادة توصيل جهاز USB بعد التصحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري متاحاً):
1. تعطيل الإدراج الساخن لجهاز USB حيث يكون ممكناً من الناحية التشغيلية
2. تنفيذ سياسات قائمة بيضاء صارمة لأجهزة USB
3. مراقبة سجلات النظام للأخطاء المتعلقة بـ USB: journalctl -u kernel | grep -i usb
4. تقييد الوصول إلى منافذ USB للموظفين المصرح لهم فقط
5. تنفيذ تقسيم الشبكة للأجهزة التي تحتوي على وحدات تحكم ChipIdea
قواعد الكشف:
1. مراقبة رسائل النواة: أخطاء 'not page aligned sg buffer'
2. تنبيه على دورات اتصال/قطع اتصال جهاز USB المتكررة
3. تتبع مؤشرات تلف الذاكرة: توقف النواة، أخطاء التقسيم
4. مراقبة dmesg لـ: 'usb.*disconnect' متبوعاً بـ 'usb.*connect' في إطار زمني قصير
5. تنفيذ توقيعات IDS لأنماط حركة USB غير الطبيعية