[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3905c1c88695e0ffcfabf700c06dd7223decef8d.camel@sundtek.de>
Date: Sun, 17 Nov 2024 15:33:28 +0800
From: Markus Rechberger <linuxusb.ml@...dtek.de>
To: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Highly critical bug in XHCI Controller
Hi,
the issue was first reported at vdr-portal.de
https://www-vdr--portal-de.translate.goog/forum/index.php?thread/136541-empfehlung-dvb-s2-tuner-oder-satip/&postID=1376196&_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp#post1376196
we've got around a highly critical bug in the xhci driver.
https://sundtek.de/support/uxvd32.txt
In xhci.c
The bug is still active in Mainline:
https://github.com/torvalds/linux/blob/master/drivers/usb/host/xhci.c#L2382
static int xhci_check_bw_table(struct xhci_hcd *xhci,
struct xhci_virt_device *virt_dev,
int old_active_eps)
bw_table can end up with a NULL pointer.
This problem will lead to a complete kernel crash, rendering the entire
system unusable without any access to the actual linux system.
How to trigger the problem?
Short D+/D- or pull them to ground on a USB device while connecting the
device.
The problem can happen due to following cases:
* a device is getting suddenly disconnected during enumeration
* a faulty cable
* a faulty device
* a malicious device triggers this issue on purpose
* if there are electrical issues during connecting a device.
A quick hotfix would be to check if bw_table is NULL in
xhci_check_bw_table, however the check should be performed earlier - in
the area where bw_table is supposed to be assigned.
Best Regards,
Markus
Powered by blists - more mailing lists