CVE-2025-37813

Description

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so enqueue can already point at the final link TRB of a segment. And indeed it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right away or load some junk which may look like a link TRB and cause the real link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer and always gives correct result. Something has crashed my machine twice in recent days while playing with an Etron HC, and a control transfer stress test ran for confirmation has just crashed it again. The same test passes with this patch applied.

Reserved 2025-04-16 | Published 2025-05-08 | Updated 2025-05-26 | Assigner Linux

Product status

Default status
unaffected

fbc0a0c7718a6cb1dc5e0811a4f88a2b1deedfa1 before 142273a49f2c315eabdbdf5a71c15e479b75ca91
affected

9258c9ed32294ce3a4b58c9d92fc49ba030d35c9 before bce3055b08e303e28a8751f6073066f5c33a0744
affected

5e1c67abc9301d05130b7e267c204e7005503b33 before 0624e29c595b05e7a0e6d1c368f0a05799928e30
affected

5e1c67abc9301d05130b7e267c204e7005503b33 before 1ea050da5562af9b930d17cbbe9632d30f5df43a
affected

4725344ca645a98a9d8e45e25b01a2244de5b8aa
affected

Default status
affected

6.13
affected

Any version before 6.13
unaffected

6.6.89
unaffected

6.12.26
unaffected

6.14.5
unaffected

6.15
unaffected

References

git.kernel.org/...c/142273a49f2c315eabdbdf5a71c15e479b75ca91

git.kernel.org/...c/bce3055b08e303e28a8751f6073066f5c33a0744

git.kernel.org/...c/0624e29c595b05e7a0e6d1c368f0a05799928e30

git.kernel.org/...c/1ea050da5562af9b930d17cbbe9632d30f5df43a

cve.org (CVE-2025-37813)

nvd.nist.gov (CVE-2025-37813)

Download JSON