CVE-2024-27059

USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command The isd200 sub-driver in usb-storage uses the HEADS and SECTORS values
in the ATA ID information to calculate cylinder and head values when
creating a CDB for READ or WRITE commands. The calculation involves
division and modulus operations, which will cause a crash if either of
these values is 0. While this never happens with a genuine device, it
could happen with a flawed or subversive emulation, as reported by the
syzbot fuzzer. Protect against this possibility by refusing to bind to the device if
either the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID
information is 0. This requires isd200_Initialization() to return a
negative error code when initialization fails; currently it always
returns 0 (even when there is an error).

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: USB: almacenamiento-usb: evita el error de división por 0 en isd200_ata_command El subcontrolador isd200 en almacenamiento-usb utiliza los valores HEADS y SECTORES en la información de ID de ATA para calcular el cilindro y valores principales al crear un CDB para comandos LEER o ESCRIBIR. El cálculo implica operaciones de división y módulo, lo que provocará un bloqueo si cualquiera de estos valores es 0. Si bien esto nunca sucede con un dispositivo genuino, podría suceder con una emulación defectuosa o subversiva, según lo informado por syzbot fuzzer. Protéjase contra esta posibilidad negándose a vincularse al dispositivo si el valor ATA_ID_HEADS o ATA_ID_SECTORS en la información de ID del dispositivo es 0. Esto requiere que isd200_Initialization() devuelva un código de error negativo cuando falla la inicialización; actualmente siempre devuelve 0 (incluso cuando hay un error).

In the Linux kernel, the following vulnerability has been resolved: USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command The isd200 sub-driver in usb-storage uses the HEADS and SECTORS values in the ATA ID information to calculate cylinder and head values when creating a CDB for READ or WRITE commands. The calculation involves division and modulus operations, which will cause a crash if either of these values is 0. While this never happens with a genuine device, it could happen with a flawed or subversive emulation, as reported by the syzbot fuzzer. Protect against this possibility by refusing to bind to the device if either the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID information is 0. This requires isd200_Initialization() to return a negative error code when initialization fails; currently it always returns 0 (even when there is an error).

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-12-19 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34	2024-04-13
https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f	2024-04-13
https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133	2024-04-13
https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964	2024-04-10
https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa	2024-04-03
https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325	2024-04-03
https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636	2024-04-03
https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49	2024-03-02

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-27059	2024-06-05
https://bugzilla.redhat.com/show_bug.cgi?id=2278398	2024-06-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 4.19.312 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 4.19.312"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.8"		en		Affected