CVE-2024-26934 - Linux Kernel USB Core Deadlock Vulnerability Resolved through Fix in usb_deauthorize_interface()
In the world of cybersecurity, vulnerabilities are discovered and resolved as a regular part of the process. Among the recent vulnerabilities discovered, one of them was found in the Linux kernel that could lead to a deadlock. This post will present the details of this vulnerability, CVE-2024-26934, and provide code snippets, links to original references, and exploit details, all while using simple American language for your understanding.
What Is CVE-2024-26934?
CVE-2024-26934 is a vulnerability found in the Linux kernel that, if not fixed promptly, could lead to a deadlock situation. A deadlock occurs when two or more processes are waiting for one another to complete, with neither able to progress until the other does. In this case, the deadlock arises in the USB core system due to an issue with the usb_deauthorize_interface() function.
The vulnerability was reported by Yue Sunand xingwei lee. They found that, among the attribute file callback routines in drivers/usb/core/sysfs.c, the interface_authorized_store() function is the only one that acquires a device lock on an ancestor device. It then calls usb_deauthorize_interface(), which locks the interface's parent USB device.
This can lead to a deadlock situation if another process has already obtained that lock and tries to remove the interface, whether through a configuration change or due to the device being disconnected. As part of the removal process, device_del() waits for all ongoing sysfs attribute callbacks to complete. However, usb_deauthorize_interface() cannot finish until the device lock has been released, and the lock will not be released until the removal is done.
To solve this problem, the Linux kernel developers introduced a fix to the usb_deauthorize_interface().
The Fix: usb_deauthorize_interface()
The solution provided for this vulnerability is to use the sysfs_break_active_protection() function, which indicates sysfs not to wait for the attribute callback. Here's a code snippet of the fix that was applied:
static ssize_t interface_authorized_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t size)
{
static const char __yes[] = "yes";
static const char __no[] = "no";
struct usb_interface *intf = to_usb_interface(dev);
int ret;
ret = usb_lock_device_for_reset(intf->dev.parent, intf);
if (ret)
return ret;
sysfs_break_active_protection(&attr->attr);
if (size == sizeof(__yes) && !strcmp(buf, __yes))
ret = usb_authorize_interface(intf);
else if (size == sizeof(__no) && !strcmp(buf, __no))
ret = usb_deauthorize_interface(intf);
else
ret = -EINVAL;
sysfs_unbreak_active_protection(&attr->attr);
usb_unlock_device(intf->dev.parent);
return ret ? ret : size;
}
With this fix applied, the USB core system should no longer experience deadlocks caused by the usb_deauthorize_interface() function.
For more information about this vulnerability and the fix, you can refer to the following sources
- Linux kernel commit fixing the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c49700af2095656e2186c4d025adfd
- Linux kernel mailing list discussion: https://lkml.org/lkml/2024/01/22/519
Exploit Details
As of now, there have been no known exploits targeting this vulnerability. The swift response from the Linux kernel developers ensures users that their systems remain secure. However, it's always a good idea to keep your kernel up to date and apply relevant security patches as they become available.
In conclusion, CVE-2024-26934 was a vulnerability found in the Linux kernel that resulted in a deadlock situation. The issue was addressed by introducing a fix in usb_deauthorize_interface() using the sysfs_break_active_protection() function. Users should ensure they have the latest Linux kernel version and apply necessary security patches to maintain a secure system.
Timeline
Published on: 05/01/2024 06:15:08 UTC
Last modified on: 08/02/2024 00:21:05 UTC