CVE-2024-40927

{"id": "CVE-2024-40927", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-07-12T13:15:15.477", "references": [{"url": "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\") was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\n\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\nreally hint at there being a problem at all).\n\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn't have been left in at all).\n\n> Another fix to solve clearing the caches of all stream rings with\n> cancelled TDs is needed, but not as urgent.\n\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it's finally time to fix it. And maybe next time\nlet's not leave bugs unfixed (that are actually worse than the original\nbug), and let's actually get people to review kernel commits please.\n\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn't get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\n(dwc3 host).\n\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xhci: Manejar el borrado de TD para el caso de m\u00faltiples flujos Cuando se utilizan m\u00faltiples flujos, es posible que haya m\u00faltiples TD en vuelo cuando se detiene un endpoint. Necesitamos emitir un puntero de salida de cola TR para cada uno, para garantizar que todo se restablezca correctamente y se borren los cach\u00e9s. Cambie la l\u00f3gica para que cualquier N>1 TD que se encuentre activo para diferentes flujos se difiera hasta despu\u00e9s de que se procese el primero, llamando a xhci_invalidate_cancelled_tds() nuevamente desde xhci_handle_cmd_set_deq() para poner en cola otro comando hasta que hayamos terminado con todos ellos. Tambi\u00e9n cambie las rutas de error/\"nunca deber\u00eda suceder\" para asegurarnos de que al menos borramos los TD afectados, incluso si no podemos emitir un comando para borrar el cach\u00e9 del hardware, y quejarnos en voz alta con un xhci_warn() si esto alguna vez sucede. Este caso de problema se remonta al commit e9df17eb1408 (\"USB: xhci: Suposiciones correctas sobre el n\u00famero de anillos por endpoint.\") al principio de la vida del controlador XHCI, cuando se agreg\u00f3 por primera vez el soporte de transmisi\u00f3n. Luego se identific\u00f3, pero no se solucion\u00f3 ni se convirti\u00f3 en una advertencia en el commit 674f8438c121 (\"xhci: dividir el manejo de endpoints detenidos en dos pasos\"), que agreg\u00f3 un comentario FIXME para el caso del problema (sin cambiar materialmente el comportamiento, hasta donde yo s\u00e9). , aunque la nueva l\u00f3gica hizo que el problema fuera m\u00e1s obvio). Luego, m\u00e1s tarde, en el commit 94f339147fc3 (\"xhci: Se corrigi\u00f3 el error al devolver algunas URB canceladas en cach\u00e9\"), se reconoci\u00f3 nuevamente. [Mathias: commit 94f339147fc3 (\"xhci: Se corrigi\u00f3 el error al devolver algunas URB canceladas en cach\u00e9\") fue una soluci\u00f3n de regresi\u00f3n espec\u00edfica para el parche mencionado anteriormente. Los usuarios informaron problemas con el USB atascado despu\u00e9s de desmontar/desconectar dispositivos UAS. Esto revirti\u00f3 la limpieza de TD de m\u00faltiples transmisiones a su estado original.] Aparentemente, el autor de el commit estaba al tanto del problema (pero a\u00fan as\u00ed decidi\u00f3 enviarlo): todav\u00eda se mencionaba como FIXME, se agreg\u00f3 un xhci_dbg() para registrar el condici\u00f3n del problema y el problema restante se mencion\u00f3 en la descripci\u00f3n de El commit. La elecci\u00f3n de crear el tipo de registro xhci_dbg() para lo que, en este momento, es una condici\u00f3n rota completamente no controlada y conocida es desconcertante y desafortunada, ya que garantiza que ning\u00fan usuario real ver\u00e1 el registro en producci\u00f3n, lo que lo hace casi no depurable ( de hecho, incluso si activa DEBUG, el mensaje realmente no indica que haya ning\u00fan problema). Me tom\u00f3 *meses* de fallas aleatorias de xHC para finalmente encontrar una reproducci\u00f3n confiable y poder realizar una sesi\u00f3n de depuraci\u00f3n profunda, que podr\u00eda haberse evitado si esta condici\u00f3n rota y no controlada se hubiera informado con una advertencia, como deber\u00eda haber sido. ha sido un error que se dej\u00f3 intencionalmente sin corregir (sin importar que no deber\u00eda haberse dejado en absoluto). > Se necesita otra soluci\u00f3n para solucionar el borrado de los cach\u00e9s de todos los anillos de transmisi\u00f3n con > TD cancelados, pero no es tan urgente. 3 a\u00f1os despu\u00e9s de esa declaraci\u00f3n y 14 a\u00f1os despu\u00e9s de que se introdujo el error original, creo que finalmente es hora de solucionarlo. Y tal vez la pr\u00f3xima vez no dejemos errores sin corregir (que en realidad son peores que el error original), y hagamos que la gente revise las confirmaciones del kernel, por favor. Soluciona fallas de xHC y fallas de IOMMU con dispositivos UAS al manejar errores/fallas. La reproducci\u00f3n m\u00e1s sencilla es usar `hdparm` para marcar un sector inicial (por ejemplo, 1024) en un disco como defectuoso, luego `cat /dev/sdX > /dev/null` en un bucle. ---truncado---"}], "lastModified": "2025-09-17T15:17:59.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37B8380E-D28A-4794-8A47-123569BFB7BF", "versionEndExcluding": "5.15.162", "versionStartIncluding": "2.6.35"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D435765D-2766-44F5-B319-F713A13E35CE", "versionEndExcluding": "6.1.95", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F019D15-84C0-416B-8C57-7F51B68992F0", "versionEndExcluding": "6.6.35", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ABBBA1D-F79D-4BDB-AA41-D1EDCC4A6975", "versionEndExcluding": "6.9.6", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3173713D-909A-4DD3-9DD4-1E171EB057EE"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}