CVE-2024-56687

Published: Dic 28, 2024 Last Modified: Nov 03, 2025 EU-VD ID: EUVD-2024-53335

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,5

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

usb: musb: Fix hardware lockup on first Rx endpoint request

There is a possibility that a request's callback could be invoked from
usb_ep_queue() (call trace below, supplemented with missing calls):

req->complete from usb_gadget_giveback_request
(drivers/usb/gadget/udc/core.c:999)
usb_gadget_giveback_request from musb_g_giveback
(drivers/usb/musb/musb_gadget.c:147)
musb_g_giveback from rxstate
(drivers/usb/musb/musb_gadget.c:784)
rxstate from musb_ep_restart
(drivers/usb/musb/musb_gadget.c:1169)
musb_ep_restart from musb_ep_restart_resume_work
(drivers/usb/musb/musb_gadget.c:1176)
musb_ep_restart_resume_work from musb_queue_resume_work
(drivers/usb/musb/musb_core.c:2279)
musb_queue_resume_work from musb_gadget_queue
(drivers/usb/musb/musb_gadget.c:1241)
musb_gadget_queue from usb_ep_queue
(drivers/usb/gadget/udc/core.c:300)

According to the docstring of usb_ep_queue(), this should not happen:

'Note that @req's ->complete() callback must never be called from within
usb_ep_queue() as that can create deadlock situations.'

In fact, a hardware lockup might occur in the following sequence:

1. The gadget is initialized using musb_gadget_enable().
2. Meanwhile, a packet arrives, and the RXPKTRDY flag is set, raising an
interrupt.
3. If IRQs are enabled, the interrupt is handled, but musb_g_rx() finds an
empty queue (next_request() returns NULL). The interrupt flag has
already been cleared by the glue layer handler, but the RXPKTRDY flag
remains set.
4. The first request is enqueued using usb_ep_queue(), leading to the call
of req->complete(), as shown in the call trace above.
5. If the callback enables IRQs and another packet is waiting, step (3)
repeats. The request queue is empty because usb_g_giveback() removes the
request before invoking the callback.
6. The endpoint remains locked up, as the interrupt triggered by hardware
setting the RXPKTRDY flag has been handled, but the flag itself remains
set.

For this scenario to occur, it is only necessary for IRQs to be enabled at
some point during the complete callback. This happens with the USB Ethernet
gadget, whose rx_complete() callback calls netif_rx(). If called in the
task context, netif_rx() disables the bottom halves (BHs). When the BHs are
re-enabled, IRQs are also enabled to allow soft IRQs to be processed. The
gadget itself is initialized at module load (or at boot if built-in), but
the first request is enqueued when the network interface is brought up,
triggering rx_complete() in the task context via ioctl(). If a packet
arrives while the interface is down, it can prevent the interface from
receiving any further packets from the USB host.

The situation is quite complicated with many parties involved. This
particular issue can be resolved in several possible ways:

1. Ensure that callbacks never enable IRQs. This would be difficult to
enforce, as discovering how netif_rx() interacts with interrupts was
already quite challenging and u_ether is not the only function driver.
Similar 'bugs' could be hidden in other drivers as well.
2. Disable MUSB interrupts in musb_g_giveback() before calling the callback
and re-enable them afterwars (by calling musb_{dis,en}able_interrupts(),
for example). This would ensure that MUSB interrupts are not handled
during the callback, even if IRQs are enabled. In fact, it would allow
IRQs to be enabled when releasing the lock. However, this feels like an
inelegant hack.
3. Modify the interrupt handler to clear the RXPKTRDY flag if the request
queue is empty. While this approach also feels like a hack, it wastes
CPU time by attempting to handle incoming packets when the software is
not ready to process them.
4. Flush the Rx FIFO instead of calling rxstate() in musb_ep_restart().
This ensures that the hardware can receive packets when there is at
least one request in the queue. Once I
---truncated---

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

usb: musb: Fix hardware lockup on first Rx endpoint request

Esiste la possibilità che la callback di una richiesta venga invocata da usb_ep_queue() (di seguito il call trace, integrato con le chiamate mancanti):

req->complete da usb_gadget_giveback_request
(drivers/usb/gadget/udc/core.c:999)
usb_gadget_giveback_request da musb_g_giveback
(drivers/usb/musb/musb_gadget.c:147)
musb_g_giveback da rxstate
(drivers/usb/musb/musb_gadget.c:784)
rxstate da musb_ep_restart
(drivers/usb/musb/musb_gadget.c:1169)
musb_ep_restart da musb_ep_restart_resume_work
(drivers/usb/musb/musb_gadget.c:1176)
musb_ep_restart_resume_work da musb_queue_resume_work
(drivers/usb/musb/musb_core.c:2279)
musb_queue_resume_work da musb_gadget_queue
(drivers/usb/musb/musb_gadget.c:1241)
musb_gadget_queue da usb_ep_queue
(drivers/usb/gadget/udc/core.c:300)

Secondo la docstring di usb_ep_queue(), ciò non dovrebbe accadere:

"Note that @req's ->complete() callback must never be called from within
usb_ep_queue() as that can create deadlock situations."

Infatti, un lockup hardware potrebbe verificarsi nel seguente scenario:

1. La gadget viene inizializzata tramite musb_gadget_enable().
2. Nel frattempo, arriva un pacchetto e viene impostato il flag RXPKTRDY, generando un interrupt.
3. Se le IRQ sono abilitate, l'interrupt viene gestito, ma musb_g_rx() trova una coda vuota (next_request() ritorna NULL). Il flag dell'interrupt è già stato cancellato dal gestore del layer di glue, ma il flag RXPKTRDY rimane impostato.
4. La prima richiesta viene inserita in coda tramite usb_ep_queue(), portando alla chiamata di req->complete(), come mostrato nel call trace sopra.
5. Se la callback abilita le IRQ e un altro pacchetto è in attesa, il passo (3) si ripete. La coda di richieste è vuota perché musb_g_giveback() rimuove la richiesta prima di invocare la callback.
6. L'endpoint rimane bloccato, poiché l'interrupt generato dall'impostazione del flag RXPKTRDY è stato gestito, ma il flag stesso rimane impostato.

Perché si verifichi questa situazione, è sufficiente che le IRQ siano abilitate in qualche momento durante la callback di completamento. Questo avviene con il gadget USB Ethernet, la cui callback rx_complete() chiama netif_rx(). Se chiamata nel contesto del task, netif_rx() disabilita le bottom halves (BH). Quando le BH vengono riabilitate, le IRQ vengono anch'esse abilitate per permettere l'elaborazione delle soft IRQ. Il gadget stesso viene inizializzato al caricamento del modulo (o all'avvio se built-in), ma la prima richiesta viene inserita in coda quando l'interfaccia di rete viene attivata, scatenando rx_complete() nel contesto del task tramite ioctl(). Se un pacchetto arriva mentre l'interfaccia è inattiva, può impedire all'interfaccia di ricevere ulteriori pacchetti dall'host USB.

La situazione è piuttosto complessa, coinvolgendo molte parti. Questo problema specifico può essere risolto in diversi modi:

1. Assicurarsi che le callback non abilino mai le IRQ. Questo sarebbe difficile da imporre, poiché scoprire come netif_rx() interagisce con le interruzioni era già piuttosto complicato e u_ether non è l'unico driver di funzione. Problemi simili potrebbero essere nascosti anche in altri driver.
2. Disabilitare le IRQ MUSB in musb_g_giveback() prima di chiamare la callback e riabilitarle successivamente (ad esempio chiamando musb_{dis,en}able_interrupts()). Questo garantirebbe che le IRQ MUSB non vengano gestite durante la callback, anche se le IRQ sono abilitate. In effetti, permetterebbe di abilitare le IRQ quando si rilascia il lock. Tuttavia, questa soluzione appare come un hack poco elegante.
3. Modificare l'interrupt handler per cancellare il flag RXPKTRDY se la coda delle richieste è vuota. Sebbene anche questa soluzione sembri un hack, spreca CPU tentando di gestire pacchetti in arrivo quando il software non è pronto a processarli.
4. Svuotare il FIFO Rx invece di chiamare rxstate() in musb_ep_restart(). Questo assicura che l'hardware possa ricevere pacchetti quando c'è almeno una richiesta in coda.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0003

Percentile

0,1th

Updated

EPSS Score Trend (Last 90 Days)

667

Improper Locking

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Availability

Potential Impacts:

Dos: Resource Consumption (Cpu)

Applicable Platforms

All platforms may be affected

View CWE Details

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.7 (inclusive)

To 6.11.11 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 5.18 (inclusive)

To 6.1.120 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.2 (inclusive)

To 6.6.64 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.12 (inclusive)

To 6.12.2 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://git.kernel.org/stable/c/0c89445e6d475b78d37b64ae520…

https://git.kernel.org/stable/c/0c89445e6d475b78d37b64ae520831cd43af7db4

https://git.kernel.org/stable/c/3fc137386c4620305bbc2a21686…

https://git.kernel.org/stable/c/3fc137386c4620305bbc2a216868c53f9245670a

https://git.kernel.org/stable/c/5906ee3693674d734177df13a51…

https://git.kernel.org/stable/c/5906ee3693674d734177df13a519a21bb03f730d

https://git.kernel.org/stable/c/c749500b28cae67410792096133…

https://git.kernel.org/stable/c/c749500b28cae67410792096133ee7f282439c51

https://git.kernel.org/stable/c/f05ad9755bb294328c3d0f42916…

https://git.kernel.org/stable/c/f05ad9755bb294328c3d0f429164ac6d4d08c548

https://lists.debian.org/debian-lts-announce/2025/03/msg000…

https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html

CVE-2024-56687

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Improper Locking

Common Consequences

Applicable Platforms

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Iscriviti alla newsletter