CVE-2024-27001
comedi: vmk80xx: fix incomplete endpoint checking
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
comedi: vmk80xx: fix incomplete endpoint checking
While vmk80xx does have endpoint checking implemented, some things
can fall through the cracks. Depending on the hardware model,
URBs can have either bulk or interrupt type, and current version
of vmk80xx_find_usb_endpoints() function does not take that fully
into account. While this warning does not seem to be too harmful,
at the very least it will crash systems with 'panic_on_warn' set on
them.
Fix the issue found by Syzkaller [1] by somewhat simplifying the
endpoint checking process with usb_find_common_endpoints() and
ensuring that only expected endpoint types are present.
This patch has not been tested on real hardware.
[1] Syzkaller report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
...
Call Trace:
<TASK>
usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59
vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]
vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818
comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067
usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399
...
Similar issue also found by Syzkaller:
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige la verificación de endpoints incompleta Si bien vmk80xx tiene implementada la verificación de endpoints, algunas cosas pueden pasar desapercibidas. Dependiendo del modelo de hardware, las URB pueden tener un tipo masivo o de interrupción, y la versión actual de la función vmk80xx_find_usb_endpoints() no lo tiene completamente en cuenta. Si bien esta advertencia no parece ser demasiado dañina, al menos bloqueará los sistemas que tengan configurado 'panic_on_warn'. Solucione el problema encontrado por Syzkaller [1] simplificando un poco el proceso de verificación de endpoints con usb_find_common_endpoints() y asegurándose de que solo estén presentes los tipos de endpoints esperados. Este parche no ha sido probado en hardware real. [1] Informe Syzkaller: usb 1-1: BOGUS urb xfer, tubería 1! = tipo 3 ADVERTENCIA: CPU: 0 PID: 781 en drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/ core/urb.c:503... Seguimiento de llamadas: usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [en línea] vmk80xx_auto_attach+0xa1c /0x1a40 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 ... También se encontró un problema similar por Syzkaller:
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-05-01 CVE Published
- 2024-05-03 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (11)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 4.19.313 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 4.19.313" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 5.4.275 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.4.275" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 5.10.216 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.10.216" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 5.15.157 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.15.157" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 6.1.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.1.88" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 6.6.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.6.29" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 6.8.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.8.8" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.9" | en |
Affected
| ||||||