| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024061956-CVE-2024-38567-5724@gregkh> Date: Wed, 19 Jun 2024 15:36:16 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-38567: wifi: carl9170: add a proper sanity check for endpoints Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: add a proper sanity check for endpoints Syzkaller reports [1] hitting a warning which is caused by presence of a wrong endpoint type at the URB sumbitting stage. While there was a check for a specific 4th endpoint, since it can switch types between bulk and interrupt, other endpoints are trusted implicitly. Similar warning is triggered in a couple of other syzbot issues [2]. Fix the issue by doing a comprehensive check of all endpoints taking into account difference between high- and full-speed configuration. [1] Syzkaller report: ... WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> [2] Related syzkaller crashes: The Linux kernel CVE team has assigned CVE-2024-38567 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 4.19.316 with commit eb0f2fc3ff58 Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 5.4.278 with commit ac3ed46a8741 Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 5.10.219 with commit 8650725bb0a4 Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 5.15.161 with commit 6a9892bf24c9 Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 6.1.93 with commit 265c3cda471c Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 6.6.33 with commit 62eb07923f36 Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 6.8.12 with commit 03ddc74bdfd7 Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 6.9.3 with commit 0fa08a55201a Issue introduced in 2.6.37 with commit a84fab3cbfdc and fixed in 6.10-rc1 with commit b6dd09b3dac8 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-38567 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/ath/carl9170/usb.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/eb0f2fc3ff5806cc572cd9055ce7c52a01e97645 https://git.kernel.org/stable/c/ac3ed46a8741d464bc70ebdf7433c1d786cf329d https://git.kernel.org/stable/c/8650725bb0a48b206d5a8ddad3a7488f9a5985b7 https://git.kernel.org/stable/c/6a9892bf24c906b4d6b587f8759ca38bff672582 https://git.kernel.org/stable/c/265c3cda471c26e0f25d0c755da94e1eb15d7a0c https://git.kernel.org/stable/c/62eb07923f3693d55b0c2d9a5a4f1ad72cb6b8fd https://git.kernel.org/stable/c/03ddc74bdfd71b84a55c9f2185d8787f258422cd https://git.kernel.org/stable/c/0fa08a55201ab9be72bacb8ea93cf752d338184f https://git.kernel.org/stable/c/b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0
Powered by blists - more mailing lists