CVE CyberSecurity Database News

CVE-2024-45006: Linux Kernel xHCI Panther Point NULL Pointer Dereference Fixed

Poster -

A vulnerability in the Linux kernel has been reported and resolved. The issue pertains to the xHCI (eXtensible Host Controller Interface) and affects the Panther Point USB host controller when re-enumerating full-speed devices after a failed address device command. This may lead to a NULL pointer dereference, causing the system to crash. This post will provide a detailed explanation of the vulnerability, a code snippet demonstrating the problem, and the fix that has been implemented.

Exploit Details

The vulnerability stems from the process of re-enumerating full-speed devices following a failed address device command. In such cases, the usb_ep_reinit() function is called to reconfigure endpoint Max Packet Size value during enumeration. This function eventually calls xhci_configure_endpoint(), which is responsible for checking and reserving bandwidth in software for Panther Point xHC.

The problem occurs when the xHC address device command fails and a new xhci_virt_device structure is allocated to re-enable the slot. When this happens, the bandwidth table pointers are not set up properly, which leads to a NULL pointer dereference the next time usb_ep_reinit() is called and xhci_configure_endpoint() is executed to reserve bandwidth.

The following code snippet shows the error message from the system log

[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd
[46710.713699] usb 3-1: Device not responding to setup address.
[46710.917684] usb 3-1: Device not responding to setup address.
[46711.125536] usb 3-1: device not accepting address 5, error -71
[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008
[46711.125600] #PF: supervisor read access in kernel mode
[46711.125603] #PF: error_code(x000) - not-present page
[46711.125606] PGD  P4D 
[46711.125610] Oops: Oops: 000 [#1] PREEMPT SMP PTI
[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1
[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.
[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]
[46711.125668] RIP: 001:xhci_reserve_bandwidth (drivers/usb/host/xhci.c

Fix:

To resolve the NULL pointer dereference issue, the Linux kernel developers have made sure that the bandwidth table pointers are correctly set up after a failed address device command. Moreover, they have also implemented a change to avoid checking for bandwidth when no actual endpoints are added or removed, i.e., only evaluating the context for default control endpoint .

References

1. Linux kernel source code commit
2. Kernel bug report

Timeline

Published on: 09/04/2024 20:15:08 UTC
Last modified on: 09/06/2024 16:26:52 UTC