We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-45006

xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration



AssignerLinux
Reserved2024-08-21
Published2024-09-04
Updated2024-09-04

Description

In the Linux kernel, the following vulnerability has been resolved: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference. Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint(). On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated.

Product status

Default status
0x4003668260

651aaf36a7d7 before ef0a0e616b27
affected

651aaf36a7d7 before a57b0ebabe68
affected

651aaf36a7d7 before 0f0654318e25
affected

651aaf36a7d7 before 365ef7c4277f
affected

651aaf36a7d7 before 5ad898ae8241
affected

651aaf36a7d7 before 6b99de301d78
affected

651aaf36a7d7 before 8fb9d412ebe2
affected

651aaf36a7d7 before af8e119f52e9
affected

Default status
0x40036683b0

4.15
affected

Any version before 4.15
unaffected

4.19.321
unaffected

5.4.283
unaffected

5.10.225
unaffected

5.15.166
unaffected

6.1.107
unaffected

6.6.48
unaffected

6.10.7
unaffected

6.11-rc4
unaffected

References

https://git.kernel.org/stable/c/ef0a0e616b2789bb804a0ce5e161db03170a85b6

https://git.kernel.org/stable/c/a57b0ebabe6862dce0a2e0f13e17941ad72fc56b

https://git.kernel.org/stable/c/0f0654318e25b2c185e245ba4a591e42fabb5e59

https://git.kernel.org/stable/c/365ef7c4277fdd781a695c3553fa157d622d805d

https://git.kernel.org/stable/c/5ad898ae82412f8a689d59829804bff2999dd0ea

https://git.kernel.org/stable/c/6b99de301d78e1f5249e57ef2c32e1dec3df2bb1

https://git.kernel.org/stable/c/8fb9d412ebe2f245f13481e4624b40e651570cbd

https://git.kernel.org/stable/c/af8e119f52e9c13e556be9e03f27957554a84656

cve.org CVE-2024-45006

nvd.nist.gov CVE-2024-45006

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-45006
Subscribe to our newsletter to learn more about our work.