| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26659: xhci: handle isoc Babble and Buffer Overrun events properly |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| xhci: handle isoc Babble and Buffer Overrun events properly |
| |
| xHCI 4.9 explicitly forbids assuming that the xHC has released its |
| ownership of a multi-TRB TD when it reports an error on one of the |
| early TRBs. Yet the driver makes such assumption and releases the TD, |
| allowing the remaining TRBs to be freed or overwritten by new TDs. |
| |
| The xHC should also report completion of the final TRB due to its IOC |
| flag being set by us, regardless of prior errors. This event cannot |
| be recognized if the TD has already been freed earlier, resulting in |
| "Transfer event TRB DMA ptr not part of current TD" error message. |
| |
| Fix this by reusing the logic for processing isoc Transaction Errors. |
| This also handles hosts which fail to report the final completion. |
| |
| Fix transfer length reporting on Babble errors. They may be caused by |
| device malfunction, no guarantee that the buffer has been filled. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26659 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.10.213 with commit 696e4112e5c1ee61996198f0ebb6ca3fab55166e |
| Fixed in 5.15.152 with commit 2aa7bcfdbb46241c701811bbc0d64d7884e3346c |
| Fixed in 6.1.82 with commit 2e3ec80ea7ba58bbb210e83b5a0afefee7c171d3 |
| Fixed in 6.6.17 with commit f5e7ffa9269a448a720e21f1ed1384d118298c97 |
| Fixed in 6.7.5 with commit 418456c0ce56209610523f21734c5612ee634134 |
| Fixed in 6.8 with commit 7c4650ded49e5b88929ecbbb631efb8b0838e811 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26659 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/usb/host/xhci-ring.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/696e4112e5c1ee61996198f0ebb6ca3fab55166e |
| https://git.kernel.org/stable/c/2aa7bcfdbb46241c701811bbc0d64d7884e3346c |
| https://git.kernel.org/stable/c/2e3ec80ea7ba58bbb210e83b5a0afefee7c171d3 |
| https://git.kernel.org/stable/c/f5e7ffa9269a448a720e21f1ed1384d118298c97 |
| https://git.kernel.org/stable/c/418456c0ce56209610523f21734c5612ee634134 |
| https://git.kernel.org/stable/c/7c4650ded49e5b88929ecbbb631efb8b0838e811 |
