CVE-2024-40927
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-40927
CVE Details
| Release Date: | 2024-07-12 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nxhci: Handle TD clearing for multiple streams case\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/'should never happen' paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\nThis problem case dates back to commit e9df17eb1408 ('USB: xhci: Correct\nassumptions about number of rings per endpoint.') early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 ('xhci: split handling halted endpoints into two steps'),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\nThen later, in commit 94f339147fc3 ('xhci: Fix failure to give back some\ncached cancelled URBs.'), it was acknowledged again.\n[Mathias: commit 94f339147fc3 ('xhci: Fix failure to give back some cached\ncancelled URBs.') was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\nreally hint at there being a problem at all).\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn't have been left in at all).\n> Another fix to solve clearing the caches of all stream rings with\n> cancelled TDs is needed, but not as urgent.\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it's finally time to fix it. And maybe next time\nlet's not leave bugs unfixed (that are actually worse than the original\nbug), and let's actually get people to review kernel commits please.\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn't get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\n(dwc3 host).\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---
See more information about CVE-2024-40927 from MITRE CVE dictionary and NIST NVD
CVSS Scoring
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
| Base Score: | 6.1 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
| Attack Vector: | Local network | Attack Complexity: | Low |
| Privileges Required: | Low | User Interaction: | None |
| Scope: | Unchanged | Confidentiality Impact: | None |
| Integrity Impact: | Low | Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 8 (kernel) | ELSA-2024-5101 | 2024-08-08 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
| Oracle Linux version 9 (kernel) | ELSA-2024-6567 | 2024-09-11 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
