Published: 2024-06-XX
Severity: Medium
Component: Linux Kernel usb: dwc2 Host Driver (DDMA completion flow)
Affected Versions: Various versions before the patch
CVE Reference: CVE-2024-26997
Patch Commit: kernel/git/torvalds/linux.git
Reported By: Hoi-Ho Chan

What Is CVE-2024-26997?

A new vulnerability (CVE-2024-26997) was found in the Linux Kernel's DesignWare USB 2. (dwc2) Host Controller Driver, specifically in the Direct Data Movement Architecture (DDMA) completion flow. The flaw allowed for a potential NULL pointer dereference due to improper handling and checking of variables in the DDMA completion function.

This bug could be triggered by specially crafted USB descriptors from a malicious USB device, or in systems where DDMA is enabled and devices detach or fail in rare timings. When exploited, it could result in system instability or a kernel panic (DoS – Denial of Service), affecting system availability.

The Problem

The vulnerability lies in how the DDMA completion flow handler in the dwc2 USB host driver dereferenced certain variables before they were properly checked for validity. This could allow an attacker, by carefully timing removal or manipulation of USB devices, to trigger this code path and crash the system.

Here's a simplified and illustrated version of the vulnerable code

// Vulnerable code (before patch)
if (some_pointer->flag) {        // <-- dereference without NULL check
    // ... do stuff ...
}

If some_pointer can be NULL under certain rare timing or error conditions, the system will crash due to an invalid memory access.

Developers fixed it by adding a NULL check before ANY dereference

// After the patch
if (some_pointer && some_pointer->flag) {   // <-- safe dereference
    // ... do stuff ...
}

This change ensures some_pointer is valid (not NULL) before accessing its members.

See the patch:
usb: dwc2: host: Fix dereference issue in DDMA completion flow

Potential Exploitation

- Impact: A local attacker (or malicious USB peripheral) could trigger a Denial of Service by causing the kernel to dereference a NULL pointer, leading to a kernel panic.
- Requirements: Access to plug in or emulate USB devices, or ability to manipulate host controller state if DDMA is enabled.

Attacker inserts a specially crafted or faulty USB device.

2. Manipulates attach/detach events or exploits timing to cause DDMA completion handler to process an invalid or NULL pointer.
3. Linux kernel driver dereferences the pointer without a check → PANIC/crash.

Example Exploit Skeleton (pseudo-code)

# Simulate device attach/detach race condition (for research only!)
# Needs root and USB emulation (e.g. using USB/IP, Linux Gadget Framework, or hardware fuzzing tools)
import time, os

try:
    os.system("usbip attach -r host -b 1-1")
    time.sleep(.1)
    os.system("usbip detach -p 00:1d.") # or use physical replug
except Exception as e:
    print("Crash attempt:", e)

Disclaimer: This is a research sketch, not a working exploit; actual exploitation likely needs hardware USB fuzzers or custom gadgets to manipulate packets.

Running Linux Kernel: 5.x, 6.x, or vendor versions with unpatched dwc2 driver.

2. Embedded devices commonly use dwc2 (like Raspberry Pi Zero, many ARM tablets, set-top boxes, etc.).

Recommendations

- Update your kernel to a version including the upstream fix.

References & More Reading

- CVE-2024-26997 MITRE Entry
- Security Patch Commit (kernel.org)
- Original kernel mailing list report
- USB DWC2 Driver Documentation

Summary

CVE-2024-26997 is a Linux kernel security bug in the USB DWC2 host driver. It was resolved by checking for NULL pointers before dereferencing in the DDMA completion handler. The issue could be triggered by specially timed or crafted USB device events, leading to system crashes. The solution is to update your kernel or apply vendor patches as soon as possible.

Timeline

Published on: 05/01/2024 06:15:17 UTC
Last modified on: 05/04/2025 12:55:18 UTC