Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-40904.mbox
blob: 3076796d13be7c3b0aec8923d5d6d8ce03f060fc [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-40904: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
The syzbot fuzzer found that the interrupt-URB completion callback in
the cdc-wdm driver was taking too long, and the driver's immediate
resubmission of interrupt URBs with -EPROTO status combined with the
dummy-hcd emulation to cause a CPU lockup:
cdc_wdm 1-1:1.0: nonzero urb status received: -71
cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes
watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]
CPU#0 Utilization every 4s during lockup:
#1: 98% system, 0% softirq, 3% hardirq, 0% idle
#2: 98% system, 0% softirq, 3% hardirq, 0% idle
#3: 98% system, 0% softirq, 3% hardirq, 0% idle
#4: 98% system, 0% softirq, 3% hardirq, 0% idle
#5: 98% system, 1% softirq, 3% hardirq, 0% idle
Modules linked in:
irq event stamp: 73096
hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]
hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994
hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]
softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582
softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588
CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Testing showed that the problem did not occur if the two error
messages -- the first two lines above -- were removed; apparently adding
material to the kernel log takes a surprisingly large amount of time.
In any case, the best approach for preventing these lockups and to
avoid spamming the log with thousands of error messages per second is
to ratelimit the two dev_err() calls. Therefore we replace them with
dev_err_ratelimited().
The Linux kernel CVE team has assigned CVE-2024-40904 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.28 with commit 9908a32e94de2141463e104c9924279ed3509447 and fixed in 4.19.317 with commit 217d1f44fff560b3995a685a60aa66e55a7f0f56
Issue introduced in 2.6.28 with commit 9908a32e94de2141463e104c9924279ed3509447 and fixed in 5.4.279 with commit 05b2cd6d33f700597e6f081b53c668a226a96d28
Issue introduced in 2.6.28 with commit 9908a32e94de2141463e104c9924279ed3509447 and fixed in 5.10.221 with commit c0747d76eb05542b5d49f67069b64ef5ff732c6c
Issue introduced in 2.6.28 with commit 9908a32e94de2141463e104c9924279ed3509447 and fixed in 5.15.162 with commit 53250b54c92fe087fd4b0c48f85529efe1ebd879
Issue introduced in 2.6.28 with commit 9908a32e94de2141463e104c9924279ed3509447 and fixed in 6.1.95 with commit 02a4c0499fc3a02e992b4c69a9809912af372d94
Issue introduced in 2.6.28 with commit 9908a32e94de2141463e104c9924279ed3509447 and fixed in 6.6.35 with commit 72a3fe36cf9f0d030865e571f45a40f9c1e07e8a
Issue introduced in 2.6.28 with commit 9908a32e94de2141463e104c9924279ed3509447 and fixed in 6.9.6 with commit 82075aff7ffccb1e72b0ac8aa349e473624d857c
Issue introduced in 2.6.28 with commit 9908a32e94de2141463e104c9924279ed3509447 and fixed in 6.10 with commit 22f00812862564b314784167a89f27b444f82a46
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-40904
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/class/cdc-wdm.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56
https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28
https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c
https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879
https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94
https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a
https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c
https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46