CVE-2024-45006

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration<br /> <br /> re-enumerating full-speed devices after a failed address device command<br /> can trigger a NULL pointer dereference.<br /> <br /> Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size<br /> value during enumeration. Usb core calls usb_ep0_reinit() in this case,<br /> which ends up calling xhci_configure_endpoint().<br /> <br /> On Panther point xHC the xhci_configure_endpoint() function will<br /> additionally check and reserve bandwidth in software. Other hosts do<br /> this in hardware<br /> <br /> If xHC address device command fails then a new xhci_virt_device structure<br /> is allocated as part of re-enabling the slot, but the bandwidth table<br /> pointers are not set up properly here.<br /> This triggers the NULL pointer dereference the next time usb_ep0_reinit()<br /> is called and xhci_configure_endpoint() tries to check and reserve<br /> bandwidth<br /> <br /> [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd<br /> [46710.713699] usb 3-1: Device not responding to setup address.<br /> [46710.917684] usb 3-1: Device not responding to setup address.<br /> [46711.125536] usb 3-1: device not accepting address 5, error -71<br /> [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> [46711.125600] #PF: supervisor read access in kernel mode<br /> [46711.125603] #PF: error_code(0x0000) - not-present page<br /> [46711.125606] PGD 0 P4D 0<br /> [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI<br /> [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1<br /> [46711.125620] Hardware name: Gigabyte Technology Co., Ltd.<br /> [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]<br /> [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c<br /> <br /> Fix this by making sure bandwidth table pointers are set up correctly<br /> after a failed address device command, and additionally by avoiding<br /> checking for bandwidth in cases like this where no actual endpoints are<br /> added or removed, i.e. only context for default control endpoint 0 is<br /> evaluated.