CVE-2022-49299 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc2: gadget: don't reset gadget's driver->bus
UDC driver should not touch gadget's driver internals, especially it should not reset driver->bus. This wasn't harmful so far, but since commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget subsystem got it's own bus and messing with ->bus triggers the following NULL pointer dereference:
dwc2 12480000.hsotg: bound driver g_ether 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000000 [00000000] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: ... CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862 Hardware name: Samsung Exynos (Flattened Device Tree) PC is at module_add_driver+0x44/0xe8 LR is at sysfs_do_create_link_sd+0x84/0xe0 ... Process modprobe (pid: 620, stack limit = 0x(ptrval)) ... module_add_driver from bus_add_driver+0xf4/0x1e4 bus_add_driver from driver_register+0x78/0x10c driver_register from usb_gadget_register_driver_owner+0x40/0xb4 usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0 do_one_initcall from do_init_module+0x44/0x1c8 do_init_module from load_module+0x19b8/0x1b9c load_module from sys_finit_module+0xdc/0xfc sys_finit_module from ret_fast_syscall+0x0/0x54 Exception stack(0xf1771fa8 to 0xf1771ff0) ... dwc2 12480000.hsotg: new device is high-speed ---[ end trace 0000000000000000 ]---
Fix this by removing driver->bus entry reset.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/19/2025
This vulnerability exists in the Linux kernel's USB Device Controller (UDC) subsystem, specifically within the dwc2 gadget driver implementation. The issue stems from improper manipulation of internal driver structures during the USB gadget registration process, creating a critical null pointer dereference condition that can lead to system crashes and potential denial of service scenarios.
The technical flaw occurs when the dwc2 UDC driver attempts to reset the gadget's driver->bus member during driver registration operations. This action violates fundamental kernel design principles by directly accessing and modifying internal driver subsystem structures that should remain opaque to device drivers. The vulnerability became particularly problematic after commit fc274c1e9973 which introduced a dedicated bus infrastructure for the USB gadget subsystem, creating a dependency chain where direct manipulation of ->bus triggers cascading failures.
The operational impact of this vulnerability manifests as immediate system instability during USB gadget driver loading operations. When the modprobe utility attempts to load a USB gadget driver such as g_ether, the kernel encounters a NULL pointer dereference at virtual address 0x00000000 during the module_add_driver function execution. This results in a kernel oops condition with an ARM architecture-specific fault, indicating that the system cannot handle the invalid memory access properly. The crash occurs because the gadget subsystem's new bus infrastructure expects valid bus pointers, but the dwc2 driver has already corrupted this reference by resetting it to NULL.
This vulnerability directly maps to CWE-476 which describes NULL pointer dereference conditions in software systems. From an adversarial perspective, this represents a potential privilege escalation vector that could be exploited to cause system crashes or potentially facilitate more sophisticated attacks if combined with other kernel vulnerabilities. The ATT&CK framework would categorize this under T1068 for local privilege escalation and T1499 for endpoint denial of service.
The fix implemented addresses the root cause by removing the problematic driver->bus entry reset operation entirely from the dwc2 gadget driver code path. This ensures that USB gadget drivers maintain proper separation between device driver interfaces and internal kernel subsystem structures, aligning with established kernel development practices that emphasize maintaining opaque interfaces to prevent accidental corruption of internal data structures. The solution restores proper driver registration behavior while preserving all intended functionality of the USB gadget subsystem, ensuring that future driver loading operations proceed without interference from device-specific code that should not manipulate core subsystem internals.