| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024090451-CVE-2024-45006-6642@gregkh> Date: Wed, 4 Sep 2024 21:57:11 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-45006: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Description =========== In the Linux kernel, the following vulnerability has been resolved: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference. Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint(). On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated. The Linux kernel CVE team has assigned CVE-2024-45006 to this issue. Affected and fixed versions =========================== Issue introduced in 4.15 with commit 651aaf36a7d7 and fixed in 4.19.321 with commit ef0a0e616b27 Issue introduced in 4.15 with commit 651aaf36a7d7 and fixed in 5.4.283 with commit a57b0ebabe68 Issue introduced in 4.15 with commit 651aaf36a7d7 and fixed in 5.10.225 with commit 0f0654318e25 Issue introduced in 4.15 with commit 651aaf36a7d7 and fixed in 5.15.166 with commit 365ef7c4277f Issue introduced in 4.15 with commit 651aaf36a7d7 and fixed in 6.1.107 with commit 5ad898ae8241 Issue introduced in 4.15 with commit 651aaf36a7d7 and fixed in 6.6.48 with commit 6b99de301d78 Issue introduced in 4.15 with commit 651aaf36a7d7 and fixed in 6.10.7 with commit 8fb9d412ebe2 Issue introduced in 4.15 with commit 651aaf36a7d7 and fixed in 6.11-rc4 with commit af8e119f52e9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-45006 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/host/xhci.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ef0a0e616b2789bb804a0ce5e161db03170a85b6 https://git.kernel.org/stable/c/a57b0ebabe6862dce0a2e0f13e17941ad72fc56b https://git.kernel.org/stable/c/0f0654318e25b2c185e245ba4a591e42fabb5e59 https://git.kernel.org/stable/c/365ef7c4277fdd781a695c3553fa157d622d805d https://git.kernel.org/stable/c/5ad898ae82412f8a689d59829804bff2999dd0ea https://git.kernel.org/stable/c/6b99de301d78e1f5249e57ef2c32e1dec3df2bb1 https://git.kernel.org/stable/c/8fb9d412ebe2f245f13481e4624b40e651570cbd https://git.kernel.org/stable/c/af8e119f52e9c13e556be9e03f27957554a84656
Powered by blists - more mailing lists