CVE-2024-42226 - Preventing Potential Failure in the Linux Kernel's USB XHCI Handle_tx_event() for Transfer Events Without TRB

Linux kernel is a popular open-source operating system used by millions of users globally. It provides a wide range of functionalities, making it adaptable to different use cases. Recently, a vulnerability has been addressed in the Linux kernel, which could lead to potential failures. This post will provide details about the exploit, along with a code snippet and links to original references.

Vulnerability Details

The vulnerability revolves around the USB xHCI (eXtensible Host Controller Interface) in the Linux kernel. Specifically, it deals with the function handle_tx_event() for transfer events without a Transfer Request Block (TRB).

Some transfer events do not always point to a TRB, and subsequently, they do not have an endpoint ring. In such cases, handle_tx_event() should not proceed. If the 'ep->skip' is set, the pointer to the endpoint ring is used, which can result in a potential failure due to the absence of a TRB.

To resolve this issue and make the code logically sound, the function should return after checking the completion code for a transfer event without TRBs.

Here is the code snippet that details the changes made to address this vulnerability

static void handle_tx_event(struct xhci_hcd *xhci,
--snip--
ep_state = ed->skip ? EP_PASSED_SKIP : EP_STATE_NORMAL;

if (ep_state == EP_PASSED_SKIP) {
// If we get a transfer event without TRBs, don't proceed
if (!trb) {
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"event without TRB, completion code %u", comp_code);
return;
}

With this modification in place, the handle_tx_event() function will only proceed if a valid TRB is present. This ensures that the code is logically sound and prevents potential failures due to incorrectly proceeding without a TRB.

Original Reference

This vulnerability was addressed and resolved in the Linux kernel's official repository. The patch can be found in the following commit:

- 2b6d11102778922e48faf9e6685de24962ef1148

Conclusion

In summary, the CVE-2024-42226 vulnerability addresses a potential failure in the Linux kernel's USB xHCI function handle_tx_event() for transfer events without TRBs. By returning after checking the completion code and ensuring the code's logical soundness, this vulnerability is effectively mitigated. It is essential to stay updated on the latest security patches and vulnerabilities to ensure that your systems and software are secure and robust.

Timeline

Published on: 07/30/2024 08:15:07 UTC
Last modified on: 07/30/2024 20:12:08 UTC