lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <16f3a291439a94751b1b68f21507bae4de8dc011.camel@sundtek.de>
Date: Mon, 18 Nov 2024 18:23:42 +0800
From: Markus Rechberger <linuxusb.ml@...dtek.de>
To: Mathias Nyman <mathias.nyman@...ux.intel.com>, 
	linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Cc: Greg KH <gregkh@...uxfoundation.org>
Subject: Re: [PATCH] XHCI NULL Pointer check in xhci_check_bw_table

On Mon, 2024-11-18 at 17:51 +0800, Markus Rechberger wrote:
> On Mon, 2024-11-18 at 11:36 +0200, Mathias Nyman wrote:
> > Hi
> > 
> > On 17.11.2024 17.32, Sundtek wrote:
> > > This patch fixes a NULL Pointer exception when a device using the
> > > XHCI
> > > controller driver is not properly initialized. It's relatively
> > > easy
> > > to
> > > reproduce with a faulty connection to a USB Harddisk / USB
> > > Ethernet
> > > adapter.
> > > The way I used for testing this patch was to short USB D+/D- and
> > > pull
> > > them to ground.
> > > 
> > > We manufacture our own USB devices and use Linux for testing,
> > > lately we
> > > upgraded the system to Ubuntu noble with Kernel 6.8.0 and our
> > > system
> > > also crashed multiple times just when plugging in some devices
> > > (no
> > > commands need to be executed).
> > > We connect/disconnect devices > 100 times (eg uploading firmware,
> > > do
> > > electrical tests etc).
> > > 
> > > I would rate this issue as highly critical.
> > > The problem is triggered via some fallback code in hub.c, a
> > > second
> > > patch will follow which
> > > removes the endpoint reset in the particular fallback.
> > > 
> > 
> > 
> > > 2024-11-16T22:14:12.122224+08:00 sundtek-UX32VD kernel: RIP:
> > > 0010:xhci_check_bw_table+0x100/0x4d0
> > 
> > This looks very similar to a null pointer issue I fixed recently.
> > Patch should be in 6.11 and recent stable releases:
> > 
> > af8e119f52e9 xhci: Fix Panther point NULL pointer deref at full-
> > speed
> > re-enumeration
> > 
> > What kernel are you running?
> 
> 
> thanks for pointing out to that, I was testing this on Linux 6.8.12.
> I will recompile the latest kernel and double check.
> 
> your one:
> [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]
> [46711.125668] RIP: 0010:xhci_reserve_bandwidth
> (drivers/usb/host/xhci.c
> 
> vs my one:
> kernel: Workqueue: usb_hub_wq hub_event
> kernel: RIP: 0010:xhci_check_bw_table+0x100/0x4d0
> 
> https://sundtek.de/support/uxvd32.txt


I just added your patch to 6.8.10 / 6.8.12 it also fixes the problem.

CVE:
https://www.cve.org/CVERecord/?id=CVE-2024-45006

Nothing to do for me here great.

the issue is resolved but needs to be addressed by the distributions
now. Ubuntu is currently shipping their stable kernel with this
critical bug.

Best Regards,
Markus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ