CVE-2024-45006

Summary

In the Linux kernel, the following vulnerability has been resolved:

xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration

re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference.

Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint().

On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware

If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth

[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c

Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux651aaf36a7d7b36a58980e70133f9437d4f6d312 < ef0a0e616b2789bb804a0ce5e161db03170a85b6affected
LinuxLinux651aaf36a7d7b36a58980e70133f9437d4f6d312 < a57b0ebabe6862dce0a2e0f13e17941ad72fc56baffected
LinuxLinux651aaf36a7d7b36a58980e70133f9437d4f6d312 < 0f0654318e25b2c185e245ba4a591e42fabb5e59affected
LinuxLinux651aaf36a7d7b36a58980e70133f9437d4f6d312 < 365ef7c4277fdd781a695c3553fa157d622d805daffected
LinuxLinux651aaf36a7d7b36a58980e70133f9437d4f6d312 < 5ad898ae82412f8a689d59829804bff2999dd0eaaffected
LinuxLinux651aaf36a7d7b36a58980e70133f9437d4f6d312 < 6b99de301d78e1f5249e57ef2c32e1dec3df2bb1affected
LinuxLinux651aaf36a7d7b36a58980e70133f9437d4f6d312 < 8fb9d412ebe2f245f13481e4624b40e651570cbdaffected
LinuxLinux651aaf36a7d7b36a58980e70133f9437d4f6d312 < af8e119f52e9c13e556be9e03f27957554a84656affected
LinuxLinux4.15affected
LinuxLinux0 < 4.15unaffected
LinuxLinux4.19.321 <= 4.19.*unaffected
LinuxLinux5.4.283 <= 5.4.*unaffected
LinuxLinux5.10.225 <= 5.10.*unaffected
LinuxLinux5.15.166 <= 5.15.*unaffected
LinuxLinux6.1.107 <= 6.1.*unaffected
LinuxLinux6.6.48 <= 6.6.*unaffected
LinuxLinux6.10.7 <= 6.10.*unaffected
LinuxLinux6.11 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References