CVE-2024-45006
Here is a possible title for the vulnerability: "Gigabyte xHCI NULL Pointer Dereference Vulnerability"
Description
In the Linux kernel, the following vulnerability has been resolved: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference. Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint(). On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated.
INFO
Published Date :
Sept. 4, 2024, 8:15 p.m.
Last Modified :
Sept. 6, 2024, 4:26 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-45006.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-45006 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-45006 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Sep. 06, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Changed Reference Type https://git.kernel.org/stable/c/0f0654318e25b2c185e245ba4a591e42fabb5e59 No Types Assigned https://git.kernel.org/stable/c/0f0654318e25b2c185e245ba4a591e42fabb5e59 Patch Changed Reference Type https://git.kernel.org/stable/c/365ef7c4277fdd781a695c3553fa157d622d805d No Types Assigned https://git.kernel.org/stable/c/365ef7c4277fdd781a695c3553fa157d622d805d Patch Changed Reference Type https://git.kernel.org/stable/c/5ad898ae82412f8a689d59829804bff2999dd0ea No Types Assigned https://git.kernel.org/stable/c/5ad898ae82412f8a689d59829804bff2999dd0ea Patch Changed Reference Type https://git.kernel.org/stable/c/6b99de301d78e1f5249e57ef2c32e1dec3df2bb1 No Types Assigned https://git.kernel.org/stable/c/6b99de301d78e1f5249e57ef2c32e1dec3df2bb1 Patch Changed Reference Type https://git.kernel.org/stable/c/8fb9d412ebe2f245f13481e4624b40e651570cbd No Types Assigned https://git.kernel.org/stable/c/8fb9d412ebe2f245f13481e4624b40e651570cbd Patch Changed Reference Type https://git.kernel.org/stable/c/a57b0ebabe6862dce0a2e0f13e17941ad72fc56b No Types Assigned https://git.kernel.org/stable/c/a57b0ebabe6862dce0a2e0f13e17941ad72fc56b Patch Changed Reference Type https://git.kernel.org/stable/c/af8e119f52e9c13e556be9e03f27957554a84656 No Types Assigned https://git.kernel.org/stable/c/af8e119f52e9c13e556be9e03f27957554a84656 Patch Changed Reference Type https://git.kernel.org/stable/c/ef0a0e616b2789bb804a0ce5e161db03170a85b6 No Types Assigned https://git.kernel.org/stable/c/ef0a0e616b2789bb804a0ce5e161db03170a85b6 Patch Added CWE NIST CWE-476 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.321 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.283 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.225 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.166 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.107 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.48 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.7 *cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Sep. 04, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference. Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint(). On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated. Added Reference kernel.org https://git.kernel.org/stable/c/ef0a0e616b2789bb804a0ce5e161db03170a85b6 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/a57b0ebabe6862dce0a2e0f13e17941ad72fc56b [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/0f0654318e25b2c185e245ba4a591e42fabb5e59 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/365ef7c4277fdd781a695c3553fa157d622d805d [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/5ad898ae82412f8a689d59829804bff2999dd0ea [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/6b99de301d78e1f5249e57ef2c32e1dec3df2bb1 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/8fb9d412ebe2f245f13481e4624b40e651570cbd [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/af8e119f52e9c13e556be9e03f27957554a84656 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-45006 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-45006
weaknesses.