CVE-2024-40904

In the Linux kernel, the following vulnerability has been resolved: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625] CPU#0 Utilization every 4s during lockup: #1: 98% system, 0% softirq, 3% hardirq, 0% idle #2: 98% system, 0% softirq, 3% hardirq, 0% idle #3: 98% system, 0% softirq, 3% hardirq, 0% idle #4: 98% system, 0% softirq, 3% hardirq, 0% idle #5: 98% system, 1% softirq, 3% hardirq, 0% idle Modules linked in: irq event stamp: 73096 hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline] hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994 hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582 softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588 CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Testing showed that the problem did not occur if the two error messages -- the first two lines above -- were removed; apparently adding material to the kernel log takes a surprisingly large amount of time. In any case, the best approach for preventing these lockups and to avoid spamming the log with thousands of error messages per second is to ratelimit the two dev_err() calls. Therefore we replace them with dev_err_ratelimited().
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*

History

21 Nov 2024, 09:31

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94 - Patch () https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94 - Patch
References () https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28 - Patch () https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28 - Patch
References () https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56 - Patch () https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56 - Patch
References () https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46 - Patch () https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46 - Patch
References () https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879 - Patch () https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879 - Patch
References () https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a - Patch () https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a - Patch
References () https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c - Patch () https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c - Patch
References () https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c - Patch () https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c - Patch

19 Sep 2024, 13:17

Type Values Removed Values Added
CWE NVD-CWE-Other
First Time Linux
Linux linux Kernel
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
CPE cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: USB: clase: cdc-wdm: soluciona el bloqueo de la CPU causado por mensajes de registro excesivos. El syzbot fuzzer descubrió que la devolución de llamada de finalización de interrupción-URB en el controlador cdc-wdm estaba tardando demasiado y el reenvío inmediato por parte del controlador de las URB de interrupción con estado -EPROTO combinado con la emulación ficticia-hcd para provocar un bloqueo de la CPU: cdc_wdm 1-1:1.0: estado de urb distinto de cero recibido: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes perro guardián: ERROR: bloqueo suave - ¡CPU#0 bloqueada durante 26 segundos! [syz-executor782:6625] CPU#0 Utilización cada 4 segundos durante el bloqueo: #1: 98% sistema, 0% softirq, 3% hardirq, 0% inactivo #2: 98% sistema, 0% softirq, 3% hardirq, 0 % inactivo #3: 98% sistema, 0% softirq, 3% hardirq, 0% inactivo #4: 98% sistema, 0% softirq, 3% hardirq, 0% inactivo #5: 98% sistema, 1% softirq, 3 % hardirq, 0% inactivo Módulos vinculados en: irq event stamp: 73096 hardirqs habilitado por última vez en (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline] hardirqs habilitado por última vez en (73095): [ ] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994 hardirqs deshabilitado por última vez en (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [en línea] hardirqs último deshabilitado en (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs habilitado por última vez en (73048): [] softirq_handle_end kernel/softirq.c:400 [en línea] softirqs habilitados por última vez en (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582 softirqs deshabilitados por última vez en (73043): [] __do_softirq+0x14/0x20 kernel/softirq. c:588 CPU: 0 PID: 6625 Comm: syz-executor782 Contaminado: GW 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/04/2024 Las pruebas mostraron que el problema no se produjo si se eliminaron los dos mensajes de error (las dos primeras líneas anteriores); aparentemente agregar material al registro del kernel lleva una cantidad de tiempo sorprendentemente grande. En cualquier caso, el mejor enfoque para prevenir estos bloqueos y evitar enviar spam al registro con miles de mensajes de error por segundo es limitar la velocidad de las dos llamadas dev_err(). Por eso los reemplazamos con dev_err_ratelimited().
References () https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94 - () https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94 - Patch
References () https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28 - () https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28 - Patch
References () https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56 - () https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56 - Patch
References () https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46 - () https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46 - Patch
References () https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879 - () https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879 - Patch
References () https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a - () https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a - Patch
References () https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c - () https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c - Patch
References () https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c - () https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c - Patch

12 Jul 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-12 13:15

Updated : 2024-11-21 09:31


NVD link : CVE-2024-40904

Mitre link : CVE-2024-40904

CVE.ORG link : CVE-2024-40904


JSON object : View

Products Affected

linux

  • linux_kernel