// For flags

CVE-2024-27001

comedi: vmk80xx: fix incomplete endpoint checking

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

comedi: vmk80xx: fix incomplete endpoint checking

While vmk80xx does have endpoint checking implemented, some things
can fall through the cracks. Depending on the hardware model,
URBs can have either bulk or interrupt type, and current version
of vmk80xx_find_usb_endpoints() function does not take that fully
into account. While this warning does not seem to be too harmful,
at the very least it will crash systems with 'panic_on_warn' set on
them.

Fix the issue found by Syzkaller [1] by somewhat simplifying the
endpoint checking process with usb_find_common_endpoints() and
ensuring that only expected endpoint types are present.

This patch has not been tested on real hardware.

[1] Syzkaller report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
...
Call Trace:
<TASK>
usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59
vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]
vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818
comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067
usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399
...

Similar issue also found by Syzkaller:

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige la verificación de endpoints incompleta Si bien vmk80xx tiene implementada la verificación de endpoints, algunas cosas pueden pasar desapercibidas. Dependiendo del modelo de hardware, las URB pueden tener un tipo masivo o de interrupción, y la versión actual de la función vmk80xx_find_usb_endpoints() no lo tiene completamente en cuenta. Si bien esta advertencia no parece ser demasiado dañina, al menos bloqueará los sistemas que tengan configurado 'panic_on_warn'. Solucione el problema encontrado por Syzkaller [1] simplificando un poco el proceso de verificación de endpoints con usb_find_common_endpoints() y asegurándose de que solo estén presentes los tipos de endpoints esperados. Este parche no ha sido probado en hardware real. [1] Informe Syzkaller: usb 1-1: BOGUS urb xfer, tubería 1! = tipo 3 ADVERTENCIA: CPU: 0 PID: 781 en drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/ core/urb.c:503... Seguimiento de llamadas: usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [en línea] vmk80xx_auto_attach+0xa1c /0x1a40 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 ... También se encontró un problema similar por Syzkaller:

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-19 CVE Reserved
  • 2024-05-01 CVE Published
  • 2024-05-03 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.9 < 4.19.313
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 4.19.313"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.9 < 5.4.275
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.4.275"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.9 < 5.10.216
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.10.216"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.9 < 5.15.157
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.15.157"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.9 < 6.1.88
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.1.88"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.9 < 6.6.29
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.6.29"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.9 < 6.8.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.8.8"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.9 < 6.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.9"
en
Affected