[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024072954-CVE-2024-41097-248c@gregkh>
Date: Mon, 29 Jul 2024 17:48:59 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-41097: usb: atm: cxacru: fix endpoint checking in cxacru_bind()
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: atm: cxacru: fix endpoint checking in cxacru_bind()
Syzbot is still reporting quite an old issue [1] that occurs due to
incomplete checking of present usb endpoints. As such, wrong
endpoints types may be used at urb sumbitting stage which in turn
triggers a warning in usb_submit_urb().
Fix the issue by verifying that required endpoint types are present
for both in and out endpoints, taking into account cmd endpoint type.
Unfortunately, this patch has not been tested on real hardware.
[1] Syzbot report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
...
Call Trace:
cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649
cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760
cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209
usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055
cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:517 [inline]
really_probe+0x23c/0xcd0 drivers/base/dd.c:595
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
__device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x228/0x4a0 drivers/base/dd.c:965
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xc2f/0x2180 drivers/base/core.c:3354
usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
The Linux kernel CVE team has assigned CVE-2024-41097 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.36 with commit 902ffc3c707c and fixed in 4.19.317 with commit 5159a8192431
Issue introduced in 2.6.36 with commit 902ffc3c707c and fixed in 5.4.279 with commit 23926d316d28
Issue introduced in 2.6.36 with commit 902ffc3c707c and fixed in 5.10.221 with commit 75ddbf776dd0
Issue introduced in 2.6.36 with commit 902ffc3c707c and fixed in 5.15.162 with commit 1aac4be1aaa5
Issue introduced in 2.6.36 with commit 902ffc3c707c and fixed in 6.1.97 with commit 5584c776a1af
Issue introduced in 2.6.36 with commit 902ffc3c707c and fixed in 6.6.37 with commit f536f09eb45e
Issue introduced in 2.6.36 with commit 902ffc3c707c and fixed in 6.9.8 with commit ac9007520e39
Issue introduced in 2.6.36 with commit 902ffc3c707c and fixed in 6.10 with commit 2eabb655a968
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-41097
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/atm/cxacru.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a
https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47
https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506
https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a
https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727
https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4
https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781
https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51
Powered by blists - more mailing lists