Summary: In the Linux kernel, a vulnerability regarding incomplete endpoint checking in Comedi's vmk80xx has been resolved. The identified issue can cause system crashes, particularly for systems with 'panic_on_warn' set. This post details the vulnerability, its patch, and references to the original issue.

Introduction

A vulnerability in the Linux kernel has been recently resolved. Specifically, the Comedi vmk80xx module had an issue with its endpoint checking. While vmk80xx does have endpoint checking implemented, some cases were not properly accounted for, leading to potential issues such as crashing systems with 'panic_on_warn' enabled.

The issue was found by Syzkaller and patched by simplifying the endpoint checking process with usb_find_common_endpoints(). The patch ensures that only the expected endpoint types are present. Note that the patch has not been tested on real hardware yet.

The following code snippet demonstrates the changes made to fix the vulnerability

// Before
static int vmk80xx_find_usb_endpoints(...)
{
    ...
    // No clear check for endpoint types here
    ...
}

// After
static int vmk80xx_find_usb_endpoints(...)
{
    ...
    // Ensure only expected endpoint types are present
    int ret = usb_find_common_endpoints(...)
    ...
}

Original References

- Syzkaller Report
- Linux Kernel Mailing List (LKML) Patch Discussion

Exploit Details

The vulnerability, CVE-2024-27001, affects the Linux kernel in the Comedi vmk80xx module. The module performs USB endpoint checking but did not fully consider the different endpoint types, allowing for unexpected endpoint types to cause issues. USB Request Blocks (URBs) can have either bulk or interrupt types, depending on the hardware model, and the endpoint checking did not address this difference.

Syzkaller's discovery of the vulnerability was demonstrated by a warning message: "usb 1-1: BOGUS urb xfer, pipe 1 != type 3." The warning signals that there is an inconsistency in the types being checked and can lead to crashes in systems that have 'panic_on_warn' enabled.

To fix the identified issue, the patch simplifies the endpoint checking process with the function usb_find_common_endpoints() and ensures that only the expected endpoint types are present. It is worth noting that the patch has not been tested on real hardware yet, so its effectiveness in practice remains to be determined.

Conclusion

The Linux kernel vulnerability, CVE-2024-27001, has been resolved to address the incomplete endpoint checking in Comedi's vmk80xx module. The fix prevents potential system crashes caused by the improper handling of URB types. However, it is important to test the patch on real hardware to verify its effectiveness and ensure it addresses the vulnerability without introducing other issues.

Stay vigilant and always keep your Linux kernel up to date to protect your systems from such vulnerabilities.

Timeline

Published on: 05/01/2024 06:15:18 UTC
Last modified on: 12/19/2024 08:52:15 UTC