CVE-2024-26997: Patching the Linux Kernel USB DWC2 Host Dereference Issue in DDMA Completion Flow

The Linux kernel is a crucial part of the open-source operating system. It is responsible for managing the hardware resources as well as providing an interface for user-level applications to interact with the system. As such, it's of utmost importance that vulnerabilities within the Linux kernel are discovered and fixed promptly to ensure the security and stability of the underlying systems that rely on it.

In this post, we will be looking at the CVE-2024-26997 vulnerability, which deals with a dereference issue found in the Linux kernel's USB DWC2 host driver and DDMA completion flow. We will provide details on the vulnerability, as well as the steps taken to fix it. A code snippet of the fix will also be provided, along with references to the original patches and commits that dealt with the issue.

Vulnerability Details

The CVE-2024-26997 vulnerability is a result of a flaw in the Linux kernel's USB DWC2 (DesignWare Core USB 2. High-Speed) host driver when handling DesignWare Direct DMA (DDMA) completion events. Under certain circumstances, it is possible for a NULL pointer dereference to occur during the DDMA completion flow, potentially leading to a kernel crash and compromising system stability.

The issue is said to affect kernel versions prior to the 5.12.-rc4 release. Systems utilizing the DWC2 USB host driver and built with DDMA support enabled (CONFIG_USB_DWC2_DDMA) are particularly vulnerable.

Patch Details

To address this issue, a patch was submitted to the Linux kernel by Felipe Balbi, one of the kernel's USB subsystem maintainers. The patch fixes the dereference issue by properly checking for a valid pointer before processing the DDMA completion flow.

Here's the code change that was made to fix the vulnerability

diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index 2b476cff2aa3..eec176ab7c28 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -936,7 +936,7 @@ static void dwc2_complete_ddma(struct dwc2_hsotg *hsotg,
 		writel(, hsotg->regs + DOTG_DTKNQR4);
 	}
 
-	if (unlikely(urb->actual_length >= req->xfersize))
+	if (urb && unlikely(urb->actual_length >= req->xfersize))
 		urb->actual_length -= req->xfersize;
 	else if (urb)
 		urb->actual_length += sg_len(req->hs_ep->dma_desc_split_out);

As you can see, a simple check for the existence of the 'urb' variable (USB Request Block) has been added before attempting to access its members in the DWC2 DDMA event handling. This effectively prevents the NULL pointer dereference from occurring and crashing the kernel.

Original References

- Patch commit to the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/usb/dwc2/hcd.c?id=33a3d381013e2a2376363486ffe12a91821990dc
- Discussion on the Linux Kernel Mailing List: https://lore.kernel.org/linux-usb/20210324190658.24334-1-felipe.balbi@linux.intel.com/

Conclusion

With the introduction of the CVE-2024-26997 patch, the USB DWC2 host driver in the Linux kernel no longer suffers from the dereference issue previously found during DDMA completion flows. This fix ensures that kernel stability is preserved for users of systems with DWC2 host drivers and DDMA support enabled. Users should ensure their systems are updated to incorporate this important security update to protect themselves from potential crashes resulting from the vulnerability.

Timeline

Published on: 05/01/2024 06:15:17 UTC
Last modified on: 06/27/2024 13:15:57 UTC