In this long-read post, we'll delve into a recently resolved Linux kernel vulnerability, specifically within the USB DWC3 (DesignWare Core) core. The vulnerability, designated as CVE-2021-46941, has been fixed by the implementation of a core soft reset when the controller switches between host and device modes. We'll discuss the details about the vulnerability, its effects, and the code changes made to address it.

Background

The Linux kernel, which acts as the core of the operating system, occasionally encounters security vulnerabilities that can be exploited by attackers. The USB DWC3 core, which resides within the kernel, recently presented such a vulnerability. This component is responsible for handling USB devices that can function in both host and device modes, such as USB On-The-Go (OTG) peripherals.

The vulnerability was initially reported by John Stultz, who discovered a lockup issue on the HiKey960 platform, and Ferry, who found a similar problem on their testing platform. Subsequent investigation revealed that certain steps were missing in the process of switching modes in the DRM controller, resulting in unstable behavior and potential vulnerabilities.

- [1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/
- [2] https://lore.kernel.org/linux-usb/ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/

The Vulnerability and Its Exploit Details

To better understand the vulnerability, let's first explain the correct sequence of actions when switching modes for the DRD (Dual-Role Device) controller, as outlined in the programming guide:

Follow up with the initializing registers sequence

The vulnerability occurred because the current implementation missed steps 1 and 3 from the above sequences. Consequently, potential attackers could exploit this missing functionality and cause the controller to lock up, leading to denial-of-service (DoS) attacks or other potential issues on affected platforms.

The Code Fix

The following code snippet details the modifications made to resolve this vulnerability in the Linux kernel:

- Added GCTL.CoreSoftReset in both mode switch cases
- Added a wait for clocks synchronization before clearing GCTL.CoreSoftReset
- Apply DCTL.CSftRst only when switching from host to device

To fix the vulnerability, the missing steps were added to the DRM controller's mode switching process. Specifically, the developers added the GCTL.CoreSoftReset step to both mode switch cases, ensuring that the controller properly reset during the transition.

Moreover, they included a wait for clock synchronization before clearing GCTL.CoreSoftReset to avoid potential timing issues. Lastly, DCTL.CSftRst was applied only when switching from host to device mode, as recommended in the programming guide.

Conclusion

CVE-2021-46941 signifies a notable Linux kernel vulnerability involving the USB DWC3 core component. This long-read post illuminated the background, details, and exploitation of this vulnerability, as well as the code changes implemented to address it. Thanks to the essential updates, the Linux kernel is better secured against potential exploits that could arise due to the USB DWC3 core vulnerability.

Remember to always keep your systems updated to ensure the latest security patches. This CVE serves as a reminder of the importance of staying informed and proactive in addressing vulnerabilities as they are discovered and resolved.

Timeline

Published on: 02/27/2024 19:04:05 UTC
Last modified on: 04/10/2024 19:42:17 UTC