CVE-2024-38567

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: carl9170: add a proper sanity check for endpoints<br /> <br /> Syzkaller reports [1] hitting a warning which is caused by presence<br /> of a wrong endpoint type at the URB sumbitting stage. While there<br /> was a check for a specific 4th endpoint, since it can switch types<br /> between bulk and interrupt, other endpoints are trusted implicitly.<br /> Similar warning is triggered in a couple of other syzbot issues [2].<br /> <br /> Fix the issue by doing a comprehensive check of all endpoints<br /> taking into account difference between high- and full-speed<br /> configuration.<br /> <br /> [1] Syzkaller report:<br /> ...<br /> WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504<br /> ...<br /> Call Trace:<br /> <br /> carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504<br /> carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]<br /> carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]<br /> carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028<br /> request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107<br /> process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289<br /> worker_thread+0x669/0x1090 kernel/workqueue.c:2436<br /> kthread+0x2e8/0x3a0 kernel/kthread.c:376<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308<br /> <br /> <br /> [2] Related syzkaller crashes: