ghsa-jx88-73qr-g4w7
Vulnerability from github
Published
2024-08-21 09:31
Modified
2024-09-13 15:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Check endpoint is valid before dereferencing it

When the host controller is not responding, all URBs queued to all endpoints need to be killed. This can cause a kernel panic if we dereference an invalid endpoint.

Fix this by using xhci_get_virt_ep() helper to find the endpoint and checking if the endpoint is valid before dereferencing it.

[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead [233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8

[233311.853964] pc : xhci_hc_died+0x10c/0x270 [233311.853971] lr : xhci_hc_died+0x1ac/0x270

[233311.854077] Call trace: [233311.854085] xhci_hc_died+0x10c/0x270 [233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4 [233311.854105] call_timer_fn+0x50/0x2d4 [233311.854112] expire_timers+0xac/0x2e4 [233311.854118] run_timer_softirq+0x300/0xabc [233311.854127] __do_softirq+0x148/0x528 [233311.854135] irq_exit+0x194/0x1a8 [233311.854143] __handle_domain_irq+0x164/0x1d0 [233311.854149] gic_handle_irq.22273+0x10c/0x188 [233311.854156] el1_irq+0xfc/0x1a8 [233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm] [233311.854185] cpuidle_enter_state+0x1f0/0x764 [233311.854194] do_idle+0x594/0x6ac [233311.854201] cpu_startup_entry+0x7c/0x80 [233311.854209] secondary_start_kernel+0x170/0x198

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-52901"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-21T07:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check endpoint is valid before dereferencing it\n\nWhen the host controller is not responding, all URBs queued to all\nendpoints need to be killed. This can cause a kernel panic if we\ndereference an invalid endpoint.\n\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\nchecking if the endpoint is valid before dereferencing it.\n\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\n\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\n\n[233311.854077] Call trace:\n[233311.854085]  xhci_hc_died+0x10c/0x270\n[233311.854093]  xhci_stop_endpoint_command_watchdog+0x100/0x1a4\n[233311.854105]  call_timer_fn+0x50/0x2d4\n[233311.854112]  expire_timers+0xac/0x2e4\n[233311.854118]  run_timer_softirq+0x300/0xabc\n[233311.854127]  __do_softirq+0x148/0x528\n[233311.854135]  irq_exit+0x194/0x1a8\n[233311.854143]  __handle_domain_irq+0x164/0x1d0\n[233311.854149]  gic_handle_irq.22273+0x10c/0x188\n[233311.854156]  el1_irq+0xfc/0x1a8\n[233311.854175]  lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\n[233311.854185]  cpuidle_enter_state+0x1f0/0x764\n[233311.854194]  do_idle+0x594/0x6ac\n[233311.854201]  cpu_startup_entry+0x7c/0x80\n[233311.854209]  secondary_start_kernel+0x170/0x198",
  "id": "GHSA-jx88-73qr-g4w7",
  "modified": "2024-09-13T15:31:31Z",
  "published": "2024-08-21T09:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52901"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/08864dc14a6803f0377ca77b9740b26db30c020f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d2820d5f375563690c96e60676855205abfb7f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/375be2dd61a072f7b1cac9b17eea59e07b58db3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66fc1600855c05c4ba4e997184c91cf298e0405c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9891e5c73cab3fd9ed532dc50e9799e55e974766"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8fb5bc76eb86437ab87002d4a36d6da02165654"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f39c813af0b64f44af94e435c07bfa1ddc2575f5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.