The security of the Linux kernel is crucial because it powers servers, desktop computers, and embedded devices worldwide. On February 29, 2024, a vulnerability identified as CVE-2024-26964 was resolved in the kernel’s USB xHCI (Extensible Host Controller Interface) subsystem. This post will break down what the CVE means, how it happens, show related code, and explain how attackers might exploit it—plus where to look for patches and more details.
Quick Summary
Vulnerability: NULL pointer dereference due to improper error handling in xhci_map_urb_for_dma.
Affected Component: Linux Kernel, USB xHCI subsystem
Attack Vector: Local (needs to submit crafted USB data)
Potential Impact: Kernel crash (DoS), possible code execution (very difficult)
Status: Fixed in mainline Linux as of 6.8-rc7
The Technical Problem
The function xhci_map_urb_for_dma is responsible for setting up memory for USB transfers in the xHCI subsystem (commonly used for USB 3. and later). Sometimes, it needs to allocate a temporary buffer for a transfer. This happens through a call to kzalloc_node().
However, if the system is out of memory, kzalloc_node() returns NULL. Immediately after, the code tries to use this pointer anyway—to copy data using sg_pcopy_to_buffer(). This is dangerous because copying data into a NULL pointer can crash the kernel—a local denial of service.
Vulnerable Code Snippet (before fix)
buf = kzalloc_node(total_len, GFP_ATOMIC, dev_to_node(&xhci->pdev->dev));
/* If allocation failed, buf is NULL, but we don’t check! */
sg_pcopy_to_buffer(sg, nents, buf, total_len, );
If kzalloc_node() fails, then buf will be NULL, so the next line is a classic NULL pointer dereference.
How the Patch Fixes It
The patch adds the missing error check. Now, if kzalloc_node() returns NULL, the function returns -ENOMEM instead of proceeding.
Fixed Code Snippet
buf = kzalloc_node(total_len, GFP_ATOMIC, dev_to_node(&xhci->pdev->dev));
if (!buf)
return -ENOMEM;
sg_pcopy_to_buffer(sg, nents, buf, total_len, );
This stops the kernel from doing anything dangerous if there’s not enough memory.
Crafted USB Transfer: Submit a USB request that triggers xhci_map_urb_for_dma.
3. Kernel Crash: If successful, the kernel tries to copy data into a NULL address, causing an immediate panic (crash).
Impact:
The main “exploit” is simply a denial of service (DoS)—the attacker can reliably crash systems with vulnerable kernels by sending certain USB requests after starving the system of memory. Gaining code execution would be much harder and is not considered viable with this bug.
While a full exploit isn’t practical, here’s a demonstration logic (pseudo-code)
// Pseudo-logic for DoS PoC
fork_many_processes_to_consume_memory();
while (not_out_of_memory()) {
allocate_big_block();
}
// Now, send a carefully crafted USB transfer through xhci subsystem
submit_usb_sg_transfer_to_vulnerable_kernel();
This just aims to drive the system out of memory so the allocation in the driver fails, then triggers the code path that would handle the USB transfer.
Timeline and Resolution
- Feb 29, 2024: Patch submitted to mainline Linux (Git commit).
References
- Patch commit on kernel.org
- Red Hat security page for CVE-2024-26964
- Debian Security Tracker: CVE-2024-26964
- Upstream kernel report
What Should You Do?
If you run Linux 6.x with USB xHCI hardware, update your kernel.
Upgrade to Linux 6.8 or later, or apply the patch if maintaining a custom kernel.
- Servers and desktops with untrusted user access (e.g., university labs, cloud endpoints) are more at risk.
Conclusion
CVE-2024-26964 is a classic case why even “small” errors in memory management can lead to big system crashes. Thanks to quick patching, this is now resolved—but it’s another example how critical good error checking is, even in tiny subsystems.
Stay patched!
*Exclusive for you, in plain language. For more, always check your distro’s security mailing lists and subscribe to kernel updates.*
Timeline
Published on: 05/01/2024 06:15:12 UTC
Last modified on: 12/23/2024 13:41:58 UTC