CVE-2024-27001

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: vmk80xx: fix incomplete endpoint checking<br /> <br /> While vmk80xx does have endpoint checking implemented, some things<br /> can fall through the cracks. Depending on the hardware model,<br /> URBs can have either bulk or interrupt type, and current version<br /> of vmk80xx_find_usb_endpoints() function does not take that fully<br /> into account. While this warning does not seem to be too harmful,<br /> at the very least it will crash systems with &amp;#39;panic_on_warn&amp;#39; set on<br /> them.<br /> <br /> Fix the issue found by Syzkaller [1] by somewhat simplifying the<br /> endpoint checking process with usb_find_common_endpoints() and<br /> ensuring that only expected endpoint types are present.<br /> <br /> This patch has not been tested on real hardware.<br /> <br /> [1] Syzkaller report:<br /> usb 1-1: BOGUS urb xfer, pipe 1 != type 3<br /> WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503<br /> ...<br /> Call Trace:<br /> <br /> usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59<br /> vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]<br /> vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818<br /> comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067<br /> usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399<br /> ...<br /> <br /> Similar issue also found by Syzkaller: