CVE-2024-26934

USB: core: Fix deadlock in usb_deauthorize_interface()

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix deadlock in usb_deauthorize_interface()

Among the attribute file callback routines in
drivers/usb/core/sysfs.c, the interface_authorized_store() function is
the only one which acquires a device lock on an ancestor device: It
calls usb_deauthorize_interface(), which locks the interface's parent
USB device.

The will lead to deadlock if another process already owns that lock
and tries to remove the interface, whether through a configuration
change or because the device has been disconnected. As part of the
removal procedure, device_del() waits for all ongoing sysfs attribute
callbacks to complete. But usb_deauthorize_interface() can't complete
until the device lock has been released, and the lock won't be
released until the removal has finished.

The mechanism provided by sysfs to prevent this kind of deadlock is
to use the sysfs_break_active_protection() function, which tells sysfs
not to wait for the attribute callback.

Reported-and-tested by: Yue Sun <samsun1006219@gmail.com>
Reported by: xingwei lee <xrivendell7@gmail.com>

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: USB: core: corrige el punto muerto en usb_deauthorize_interface() Entre las rutinas de devolución de llamada de archivos de atributos en drivers/usb/core/sysfs.c, la función interface_authorized_store() es la única que adquiere un bloqueo de dispositivo en un dispositivo antecesor: llama a usb_deauthorize_interface(), que bloquea el dispositivo USB principal de la interfaz. Esto conducirá a un punto muerto si otro proceso ya posee ese bloqueo e intenta eliminar la interfaz, ya sea mediante un cambio de configuración o porque el dispositivo se ha desconectado. Como parte del procedimiento de eliminación, device_del() espera a que se completen todas las devoluciones de llamadas de atributos sysfs en curso. Pero usb_deauthorize_interface() no se puede completar hasta que se haya liberado el bloqueo del dispositivo, y el bloqueo no se liberará hasta que haya finalizado la eliminación. El mecanismo proporcionado por sysfs para evitar este tipo de punto muerto es utilizar la función sysfs_break_active_protection(), que le dice a sysfs que no espere la devolución de llamada del atributo. Reportado y probado por: Yue Sun Reportado por: xingwei lee

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-05-24 EPSS Updated
2024-11-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-667: Improper Locking

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/310d2b4124c073a2057ef9d952d4d938e9b1dfd9	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f	2024-04-13
https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947	2024-04-13
https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9	2024-04-13
https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a	2024-04-10
https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5	2024-04-03
https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384	2024-04-03
https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057	2024-04-03
https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6	2024-04-03
https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5	2024-03-26

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26934	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2278237	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 4.19.312 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 4.19.312"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 6.8.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.4 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 6.9"		en		Affected