| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-41097: usb: atm: cxacru: fix endpoint checking in cxacru_bind() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| usb: atm: cxacru: fix endpoint checking in cxacru_bind() |
| |
| Syzbot is still reporting quite an old issue [1] that occurs due to |
| incomplete checking of present usb endpoints. As such, wrong |
| endpoints types may be used at urb sumbitting stage which in turn |
| triggers a warning in usb_submit_urb(). |
| |
| Fix the issue by verifying that required endpoint types are present |
| for both in and out endpoints, taking into account cmd endpoint type. |
| |
| Unfortunately, this patch has not been tested on real hardware. |
| |
| [1] Syzbot report: |
| usb 1-1: BOGUS urb xfer, pipe 1 != type 3 |
| WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 |
| Modules linked in: |
| CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 |
| Workqueue: usb_hub_wq hub_event |
| RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 |
| ... |
| Call Trace: |
| cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649 |
| cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760 |
| cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209 |
| usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055 |
| cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363 |
| usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 |
| call_driver_probe drivers/base/dd.c:517 [inline] |
| really_probe+0x23c/0xcd0 drivers/base/dd.c:595 |
| __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 |
| driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 |
| __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 |
| bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 |
| __device_attach+0x228/0x4a0 drivers/base/dd.c:965 |
| bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 |
| device_add+0xc2f/0x2180 drivers/base/core.c:3354 |
| usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170 |
| usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 |
| usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 |
| |
| The Linux kernel CVE team has assigned CVE-2024-41097 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 2.6.36 with commit 902ffc3c707c1d459ea57428a619a807cbe412f9 and fixed in 4.19.317 with commit 5159a81924311c1ec786ad9fdef784ead8676a6a |
| Issue introduced in 2.6.36 with commit 902ffc3c707c1d459ea57428a619a807cbe412f9 and fixed in 5.4.279 with commit 23926d316d2836315cb113569f91393266eb5b47 |
| Issue introduced in 2.6.36 with commit 902ffc3c707c1d459ea57428a619a807cbe412f9 and fixed in 5.10.221 with commit 75ddbf776dd04a09fb9e5267ead5d0c989f84506 |
| Issue introduced in 2.6.36 with commit 902ffc3c707c1d459ea57428a619a807cbe412f9 and fixed in 5.15.162 with commit 1aac4be1aaa5177506219f01dce5e29194e5e95a |
| Issue introduced in 2.6.36 with commit 902ffc3c707c1d459ea57428a619a807cbe412f9 and fixed in 6.1.97 with commit 5584c776a1af7807ca815ee6265f2c1429fc5727 |
| Issue introduced in 2.6.36 with commit 902ffc3c707c1d459ea57428a619a807cbe412f9 and fixed in 6.6.37 with commit f536f09eb45e4de8d1b9accee9d992aa1846f1d4 |
| Issue introduced in 2.6.36 with commit 902ffc3c707c1d459ea57428a619a807cbe412f9 and fixed in 6.9.8 with commit ac9007520e392541a29daebaae8b9109007bc781 |
| Issue introduced in 2.6.36 with commit 902ffc3c707c1d459ea57428a619a807cbe412f9 and fixed in 6.10 with commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 |
| Issue introduced in 2.6.35.5 with commit aef30a0bfdf6c10565285fff1ae8400b34ee0d81 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-41097 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/usb/atm/cxacru.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a |
| https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47 |
| https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506 |
| https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a |
| https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727 |
| https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4 |
| https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781 |
| https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51 |
