cve/published/2024/CVE-2024-57981.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57981: usb: xhci: Fix NULL pointer dereference on certain command aborts

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: xhci: Fix NULL pointer dereference on certain command aborts

 If a command is queued to the final usable TRB of a ring segment, the
 enqueue pointer is advanced to the subsequent link TRB and no further.
 If the command is later aborted, when the abort completion is handled
 the dequeue pointer is advanced to the first TRB of the next segment.

 If no further commands are queued, xhci_handle_stopped_cmd_ring() sees
 the ring pointers unequal and assumes that there is a pending command,
 so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.

 Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell
 ring likely is unnecessary too, but it's harmless. Leave it alone.

 This is probably Bug 219532, but no confirmation has been received.

 The issue has been independently reproduced and confirmed fixed using
 a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.
 Everything continued working normally after several prevented crashes.

 The Linux kernel CVE team has assigned CVE-2024-57981 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 5.4.291 with commit fd8bfaeba4a85b14427899adec0efb3954300653
 	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 5.10.235 with commit b44253956407046e5907d4d72c8fa5b93ae94485
 	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 5.15.179 with commit cf30300a216a4f8dce94e11781a866a09d4b50d4
 	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.1.129 with commit 4ff18870af793ce2034a6ad746e91d0a3d985b88
 	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.6.76 with commit b649f0d5bc256f691c7d234c3986685d54053de1
 	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.12.13 with commit ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641
 	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.13.2 with commit 0ce5c0dac768be14afe2426101b568a0f66bfc4d
 	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.14 with commit 1e0a19912adb68a4b2b74fd77001c96cd83eb073

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57981
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/host/xhci-ring.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653
 	https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485
 	https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4
 	https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88
 	https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1
 	https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641
 	https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d
 	https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57981: usb: xhci: Fix NULL pointer dereference on certain command aborts

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: xhci: Fix NULL pointer dereference on certain command aborts

	If a command is queued to the final usable TRB of a ring segment, the
	enqueue pointer is advanced to the subsequent link TRB and no further.
	If the command is later aborted, when the abort completion is handled
	the dequeue pointer is advanced to the first TRB of the next segment.

	If no further commands are queued, xhci_handle_stopped_cmd_ring() sees
	the ring pointers unequal and assumes that there is a pending command,
	so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.

	Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell
	ring likely is unnecessary too, but it's harmless. Leave it alone.

	This is probably Bug 219532, but no confirmation has been received.

	The issue has been independently reproduced and confirmed fixed using
	a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.
	Everything continued working normally after several prevented crashes.

	The Linux kernel CVE team has assigned CVE-2024-57981 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 5.4.291 with commit fd8bfaeba4a85b14427899adec0efb3954300653
	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 5.10.235 with commit b44253956407046e5907d4d72c8fa5b93ae94485
	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 5.15.179 with commit cf30300a216a4f8dce94e11781a866a09d4b50d4
	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.1.129 with commit 4ff18870af793ce2034a6ad746e91d0a3d985b88
	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.6.76 with commit b649f0d5bc256f691c7d234c3986685d54053de1
	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.12.13 with commit ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641
	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.13.2 with commit 0ce5c0dac768be14afe2426101b568a0f66bfc4d
	Issue introduced in 3.16 with commit c311e391a7efd101250c0e123286709b7e736249 and fixed in 6.14 with commit 1e0a19912adb68a4b2b74fd77001c96cd83eb073

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57981
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/host/xhci-ring.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653
	https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485
	https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4
	https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88
	https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1
	https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641
	https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d
	https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073