CVE-2025-21776

In the Linux kernel, the following vulnerability has been resolved:

USB: hub: Ignore non-compliant devices with too many configs or interfaces

Robert Morris created a test program which can cause usbhubtostructhub() to dereference a NULL or inappropriate pointer:

Oops: general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] SMP DEBUGPAGEALLOC PTI CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14 Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021 Workqueue: usbhubwq hubevent RIP: 0010:usbhubadjustdeviceremovable+0x78/0x110 ... Call Trace: <TASK> ? dieaddr+0x31/0x80 ? excgeneralprotection+0x1b4/0x3c0 ? asmexcgeneralprotection+0x26/0x30 ? usbhubadjustdeviceremovable+0x78/0x110 hubprobe+0x7c7/0xab0 usbprobeinterface+0x14b/0x350 reallyprobe+0xd0/0x2d0 ? pfxdeviceattachdriver+0x10/0x10 _driverprobedevice+0x6e/0x110 driverprobedevice+0x1a/0x90 _deviceattachdriver+0x7e/0xc0 busforeachdrv+0x7f/0xd0 _deviceattach+0xaa/0x1a0 busprobedevice+0x8b/0xa0 deviceadd+0x62e/0x810 usbsetconfiguration+0x65d/0x990 usbgenericdriverprobe+0x4b/0x70 usbprobedevice+0x36/0xd0

The cause of this error is that the device has two interfaces, and the hub driver binds to interface 1 instead of interface 0, which is where usbhubtostructhub() looks.

We can prevent the problem from occurring by refusing to accept hub devices that violate the USB spec by having more than one configuration or interface.