CVE-2023-52901

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Check endpoint is valid before dereferencing it

When the host controller is not responding, all URBs queued to all endpoints need to be killed. This can cause a kernel panic if we dereference an invalid endpoint.

Fix this by using xhci_get_virt_ep() helper to find the endpoint and checking if the endpoint is valid before dereferencing it.

[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead [233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8

[233311.853964] pc : xhci_hc_died+0x10c/0x270 [233311.853971] lr : xhci_hc_died+0x1ac/0x270

[233311.854077] Call trace: [233311.854085] xhci_hc_died+0x10c/0x270 [233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4 [233311.854105] call_timer_fn+0x50/0x2d4 [233311.854112] expire_timers+0xac/0x2e4 [233311.854118] run_timer_softirq+0x300/0xabc [233311.854127] __do_softirq+0x148/0x528 [233311.854135] irq_exit+0x194/0x1a8 [233311.854143] __handle_domain_irq+0x164/0x1d0 [233311.854149] gic_handle_irq.22273+0x10c/0x188 [233311.854156] el1_irq+0xfc/0x1a8 [233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm] [233311.854185] cpuidle_enter_state+0x1f0/0x764 [233311.854194] do_idle+0x594/0x6ac [233311.854201] cpu_startup_entry+0x7c/0x80 [233311.854209] secondary_start_kernel+0x170/0x198

Affected Software

VendorProductVersion RangeStatus
LinuxLinux50e8725e7c429701e530439013f9681e1fa36b5d < 375be2dd61a072f7b1cac9b17eea59e07b58db3aaffected
LinuxLinux50e8725e7c429701e530439013f9681e1fa36b5d < 2d2820d5f375563690c96e60676855205abfb7f5affected
LinuxLinux50e8725e7c429701e530439013f9681e1fa36b5d < 9891e5c73cab3fd9ed532dc50e9799e55e974766affected
LinuxLinux50e8725e7c429701e530439013f9681e1fa36b5d < 66fc1600855c05c4ba4e997184c91cf298e0405caffected
LinuxLinux50e8725e7c429701e530439013f9681e1fa36b5d < f39c813af0b64f44af94e435c07bfa1ddc2575f5affected
LinuxLinux50e8725e7c429701e530439013f9681e1fa36b5d < 08864dc14a6803f0377ca77b9740b26db30c020faffected
LinuxLinux50e8725e7c429701e530439013f9681e1fa36b5d < e8fb5bc76eb86437ab87002d4a36d6da02165654affected
LinuxLinux3.15affected
LinuxLinux0 < 3.15unaffected
LinuxLinux4.14.304 <= 4.14.*unaffected
LinuxLinux4.19.271 <= 4.19.*unaffected
LinuxLinux5.4.230 <= 5.4.*unaffected
LinuxLinux5.10.165 <= 5.10.*unaffected
LinuxLinux5.15.90 <= 5.15.*unaffected
LinuxLinux6.1.8 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References