Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2024 / CVE-2024-45006.json
blob: 0cf0615c27c0a708dc0656b030a56372e56949d1 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix Panther point NULL pointer deref at full-speed re-enumeration\n\nre-enumerating full-speed devices after a failed address device command\ncan trigger a NULL pointer dereference.\n\nFull-speed devices may need to reconfigure the endpoint 0 Max Packet Size\nvalue during enumeration. Usb core calls usb_ep0_reinit() in this case,\nwhich ends up calling xhci_configure_endpoint().\n\nOn Panther point xHC the xhci_configure_endpoint() function will\nadditionally check and reserve bandwidth in software. Other hosts do\nthis in hardware\n\nIf xHC address device command fails then a new xhci_virt_device structure\nis allocated as part of re-enabling the slot, but the bandwidth table\npointers are not set up properly here.\nThis triggers the NULL pointer dereference the next time usb_ep0_reinit()\nis called and xhci_configure_endpoint() tries to check and reserve\nbandwidth\n\n[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd\n[46710.713699] usb 3-1: Device not responding to setup address.\n[46710.917684] usb 3-1: Device not responding to setup address.\n[46711.125536] usb 3-1: device not accepting address 5, error -71\n[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[46711.125600] #PF: supervisor read access in kernel mode\n[46711.125603] #PF: error_code(0x0000) - not-present page\n[46711.125606] PGD 0 P4D 0\n[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1\n[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.\n[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]\n[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c\n\nFix this by making sure bandwidth table pointers are set up correctly\nafter a failed address device command, and additionally by avoiding\nchecking for bandwidth in cases like this where no actual endpoints are\nadded or removed, i.e. only context for default control endpoint 0 is\nevaluated."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/usb/host/xhci.c"
],
"versions": [
{
"version": "651aaf36a7d7b36a58980e70133f9437d4f6d312",
"lessThan": "ef0a0e616b2789bb804a0ce5e161db03170a85b6",
"status": "affected",
"versionType": "git"
},
{
"version": "651aaf36a7d7b36a58980e70133f9437d4f6d312",
"lessThan": "a57b0ebabe6862dce0a2e0f13e17941ad72fc56b",
"status": "affected",
"versionType": "git"
},
{
"version": "651aaf36a7d7b36a58980e70133f9437d4f6d312",
"lessThan": "0f0654318e25b2c185e245ba4a591e42fabb5e59",
"status": "affected",
"versionType": "git"
},
{
"version": "651aaf36a7d7b36a58980e70133f9437d4f6d312",
"lessThan": "365ef7c4277fdd781a695c3553fa157d622d805d",
"status": "affected",
"versionType": "git"
},
{
"version": "651aaf36a7d7b36a58980e70133f9437d4f6d312",
"lessThan": "5ad898ae82412f8a689d59829804bff2999dd0ea",
"status": "affected",
"versionType": "git"
},
{
"version": "651aaf36a7d7b36a58980e70133f9437d4f6d312",
"lessThan": "6b99de301d78e1f5249e57ef2c32e1dec3df2bb1",
"status": "affected",
"versionType": "git"
},
{
"version": "651aaf36a7d7b36a58980e70133f9437d4f6d312",
"lessThan": "8fb9d412ebe2f245f13481e4624b40e651570cbd",
"status": "affected",
"versionType": "git"
},
{
"version": "651aaf36a7d7b36a58980e70133f9437d4f6d312",
"lessThan": "af8e119f52e9c13e556be9e03f27957554a84656",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/usb/host/xhci.c"
],
"versions": [
{
"version": "4.15",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.15",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.321",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.283",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.225",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.166",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.107",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.48",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.10.7",
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15",
"versionEndExcluding": "4.19.321"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15",
"versionEndExcluding": "5.4.283"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15",
"versionEndExcluding": "5.10.225"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15",
"versionEndExcluding": "5.15.166"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15",
"versionEndExcluding": "6.1.107"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15",
"versionEndExcluding": "6.6.48"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15",
"versionEndExcluding": "6.10.7"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15",
"versionEndExcluding": "6.11"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/ef0a0e616b2789bb804a0ce5e161db03170a85b6"
},
{
"url": "https://git.kernel.org/stable/c/a57b0ebabe6862dce0a2e0f13e17941ad72fc56b"
},
{
"url": "https://git.kernel.org/stable/c/0f0654318e25b2c185e245ba4a591e42fabb5e59"
},
{
"url": "https://git.kernel.org/stable/c/365ef7c4277fdd781a695c3553fa157d622d805d"
},
{
"url": "https://git.kernel.org/stable/c/5ad898ae82412f8a689d59829804bff2999dd0ea"
},
{
"url": "https://git.kernel.org/stable/c/6b99de301d78e1f5249e57ef2c32e1dec3df2bb1"
},
{
"url": "https://git.kernel.org/stable/c/8fb9d412ebe2f245f13481e4624b40e651570cbd"
},
{
"url": "https://git.kernel.org/stable/c/af8e119f52e9c13e556be9e03f27957554a84656"
}
],
"title": "xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-45006",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}