{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-56670","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-27T15:00:39.844Z","datePublished":"2024-12-27T15:06:31.611Z","dateUpdated":"2025-11-03T20:52:17.369Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T10:01:40.207Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer\n\nConsidering that in some extreme cases,\nwhen u_serial driver is accessed by multiple threads,\nThread A is executing the open operation and calling the gs_open,\nThread B is executing the disconnect operation and calling the\ngserial_disconnect function,The port->port_usb pointer will be set to NULL.\n\nE.g.\n    Thread A                                 Thread B\n    gs_open()                                gadget_unbind_driver()\n    gs_start_io()                            composite_disconnect()\n    gs_start_rx()                            gserial_disconnect()\n    ...                                      ...\n    spin_unlock(&port->port_lock)\n    status = usb_ep_queue()                  spin_lock(&port->port_lock)\n    spin_lock(&port->port_lock)              port->port_usb = NULL\n    gs_free_requests(port->port_usb->in)     spin_unlock(&port->port_lock)\n    Crash\n\nThis causes thread A to access a null pointer (port->port_usb is null)\nwhen calling the gs_free_requests function, causing a crash.\n\nIf port_usb is NULL, the release request will be skipped as it\nwill be done by gserial_disconnect.\n\nSo add a null pointer check to gs_start_io before attempting\nto access the value of the pointer port->port_usb.\n\nCall trace:\n gs_start_io+0x164/0x25c\n gs_open+0x108/0x13c\n tty_open+0x314/0x638\n chrdev_open+0x1b8/0x258\n do_dentry_open+0x2c4/0x700\n vfs_open+0x2c/0x3c\n path_openat+0xa64/0xc60\n do_filp_open+0xb8/0x164\n do_sys_openat2+0x84/0xf0\n __arm64_sys_openat+0x70/0x9c\n invoke_syscall+0x58/0x114\n el0_svc_common+0x80/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x38/0x68"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/u_serial.c"],"versions":[{"version":"c1dca562be8ada614ef193aa246c6f8705bcd6b9","lessThan":"4efdfdc32d8d6307f968cd99f1db64468471bab1","status":"affected","versionType":"git"},{"version":"c1dca562be8ada614ef193aa246c6f8705bcd6b9","lessThan":"28b3c03a6790de1f6f2683919ad657840f0f0f58","status":"affected","versionType":"git"},{"version":"c1dca562be8ada614ef193aa246c6f8705bcd6b9","lessThan":"1247e1df086aa6c17ab53cd1bedce70dd7132765","status":"affected","versionType":"git"},{"version":"c1dca562be8ada614ef193aa246c6f8705bcd6b9","lessThan":"c83213b6649d22656b3a4e92544ceeea8a2c6c07","status":"affected","versionType":"git"},{"version":"c1dca562be8ada614ef193aa246c6f8705bcd6b9","lessThan":"8ca07a3d18f39b1669927ef536e485787e856df6","status":"affected","versionType":"git"},{"version":"c1dca562be8ada614ef193aa246c6f8705bcd6b9","lessThan":"dd6b0ca6025f64ccb465a6a3460c5b0307ed9c44","status":"affected","versionType":"git"},{"version":"c1dca562be8ada614ef193aa246c6f8705bcd6b9","lessThan":"4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/u_serial.c"],"versions":[{"version":"2.6.27","status":"affected"},{"version":"0","lessThan":"2.6.27","status":"unaffected","versionType":"semver"},{"version":"5.4.288","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.232","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.175","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.121","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.67","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.6","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.4.288"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.10.232"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.15.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.1.121"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.6.67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.12.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4efdfdc32d8d6307f968cd99f1db64468471bab1"},{"url":"https://git.kernel.org/stable/c/28b3c03a6790de1f6f2683919ad657840f0f0f58"},{"url":"https://git.kernel.org/stable/c/1247e1df086aa6c17ab53cd1bedce70dd7132765"},{"url":"https://git.kernel.org/stable/c/c83213b6649d22656b3a4e92544ceeea8a2c6c07"},{"url":"https://git.kernel.org/stable/c/8ca07a3d18f39b1669927ef536e485787e856df6"},{"url":"https://git.kernel.org/stable/c/dd6b0ca6025f64ccb465a6a3460c5b0307ed9c44"},{"url":"https://git.kernel.org/stable/c/4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b"}],"title":"usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-56670","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T19:59:37.791870Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T20:07:09.242Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T20:52:17.369Z"}}]}}