CVE-2024-26659

xhci: handle isoc Babble and Buffer Overrun events properly

Severity Score

4.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

xhci: handle isoc Babble and Buffer Overrun events properly

xHCI 4.9 explicitly forbids assuming that the xHC has released its
ownership of a multi-TRB TD when it reports an error on one of the
early TRBs. Yet the driver makes such assumption and releases the TD,
allowing the remaining TRBs to be freed or overwritten by new TDs.

The xHC should also report completion of the final TRB due to its IOC
flag being set by us, regardless of prior errors. This event cannot
be recognized if the TD has already been freed earlier, resulting in
"Transfer event TRB DMA ptr not part of current TD" error message.

Fix this by reusing the logic for processing isoc Transaction Errors.
This also handles hosts which fail to report the final completion.

Fix transfer length reporting on Babble errors. They may be caused by
device malfunction, no guarantee that the buffer has been filled.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xhci: maneja correctamente los eventos isoc Babble y Buffer Overrun xHCI 4.9 prohíbe explícitamente suponer que xHC ha liberado su propiedad de un TD multi-TRB cuando informa un error en uno de los primeros TRB. Sin embargo, el conductor hace tal suposición y libera el TD, permitiendo que los TRB restantes sean liberados o sobrescritos por nuevos TD. El xHC también debe informar la finalización del TRB final debido a que nosotros establecimos la bandera del COI, independientemente de los errores anteriores. Este evento no se puede reconocer si el TD ya se liberó anteriormente, lo que genera el mensaje de error "Evento de transferencia TRB DMA ptr no forma parte del TD actual". Solucione este problema reutilizando la lógica para procesar errores de transacción isoc. Esto también maneja los hosts que no informan la finalización final. Se corrigió el informe de duración de la transferencia sobre errores de Babble. Pueden deberse a un mal funcionamiento del dispositivo, no hay garantía de que se haya llenado el búfer.

A flaw was found in the Linux kernel related to the Extensible Host Controller Interface (xHCI) subsystem, specifically how it handles certain events. The issue arises when the xHCI driver improperly handles isochronous (isoc) Babble and Buffer Overrun events. The vulnerability occurs because the xHCI driver incorrectly assumes that the xHC (host controller) has released its ownership of a multi-TRB (Transfer Request Block) TD (Transfer Descriptor) after reporting an error on an early TRB. This assumption leads to the premature release of the TD, allowing remaining TRBs to be freed or overwritten, which can cause system instability or crashes.

*Credits: N/A

CVSS Scores

Red Hatv3.1 4.1

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-02 CVE Published
2024-04-02 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (9)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/696e4112e5c1ee61996198f0ebb6ca3fab55166e	2024-03-15
https://git.kernel.org/stable/c/2aa7bcfdbb46241c701811bbc0d64d7884e3346c	2024-03-15
https://git.kernel.org/stable/c/2e3ec80ea7ba58bbb210e83b5a0afefee7c171d3	2024-03-15
https://git.kernel.org/stable/c/f5e7ffa9269a448a720e21f1ed1384d118298c97	2024-02-16
https://git.kernel.org/stable/c/418456c0ce56209610523f21734c5612ee634134	2024-02-16
https://git.kernel.org/stable/c/7c4650ded49e5b88929ecbbb631efb8b0838e811	2024-01-28

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26659	2024-06-05
https://bugzilla.redhat.com/show_bug.cgi?id=2272780	2024-06-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.213 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.213"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.152 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.152"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.82 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.82"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.17 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.17"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.7.5 Search vendor "Linux" for product "Linux Kernel" and version " < 6.7.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.8 Search vendor "Linux" for product "Linux Kernel" and version " < 6.8"		en		Affected