CVE-2024-27001

comedi: vmk80xx: fix incomplete endpoint checking

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix incomplete endpoint checking While vmk80xx does have endpoint checking implemented, some things
can fall through the cracks. Depending on the hardware model,
URBs can have either bulk or interrupt type, and current version
of vmk80xx_find_usb_endpoints() function does not take that fully
into account. While this warning does not seem to be too harmful,
at the very least it will crash systems with 'panic_on_warn' set on
them. Fix the issue found by Syzkaller [1] by somewhat simplifying the
endpoint checking process with usb_find_common_endpoints() and
ensuring that only expected endpoint types are present. This patch has not been tested on real hardware. [1] Syzkaller report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
...
Call Trace: <TASK> usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399
... Similar issue also found by Syzkaller:

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige la verificación de endpoints incompleta Si bien vmk80xx tiene implementada la verificación de endpoints, algunas cosas pueden pasar desapercibidas. Dependiendo del modelo de hardware, las URB pueden tener un tipo masivo o de interrupción, y la versión actual de la función vmk80xx_find_usb_endpoints() no lo tiene completamente en cuenta. Si bien esta advertencia no parece ser demasiado dañina, al menos bloqueará los sistemas que tengan configurado 'panic_on_warn'. Solucione el problema encontrado por Syzkaller [1] simplificando un poco el proceso de verificación de endpoints con usb_find_common_endpoints() y asegurándose de que solo estén presentes los tipos de endpoints esperados. Este parche no ha sido probado en hardware real. [1] Informe Syzkaller: usb 1-1: BOGUS urb xfer, tubería 1! = tipo 3 ADVERTENCIA: CPU: 0 PID: 781 en drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/ core/urb.c:503... Seguimiento de llamadas: usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [en línea] vmk80xx_auto_attach+0xa1c /0x1a40 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 ... También se encontró un problema similar por Syzkaller:

In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix incomplete endpoint checking While vmk80xx does have endpoint checking implemented, some things can fall through the cracks. Depending on the hardware model, URBs can have either bulk or interrupt type, and current version of vmk80xx_find_usb_endpoints() function does not take that fully into account. While this warning does not seem to be too harmful, at the very least it will crash systems with 'panic_on_warn' set on them. Fix the issue found by Syzkaller [1] by somewhat simplifying the endpoint checking process with usb_find_common_endpoints() and ensuring that only expected endpoint types are present. This patch has not been tested on real hardware. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 ... Similar issue also found by Syzkaller:

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-12-19 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/49253d542cc0f5f771dc254d248162a2a666649d	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9	2024-05-02
https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b	2024-05-02
https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54	2024-05-02
https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f	2024-04-27
https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b	2024-04-27
https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696	2024-04-27
https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2	2024-04-27
https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8	2024-04-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 4.19.313 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 4.19.313"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.4.275 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.4.275"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.10.216 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.10.216"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.15.157 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.15.157"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.1.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.1.88"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.6.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.6.29"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.8.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.8.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.9"		en		Affected