admin/cve
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2025-11-28 18:48:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
cve/2024/CVE-2024-45006.md
0xMarcio cb00e1339f Update CVE list 2025-09-29 21:09
2025-09-29 21:09:30 +02:00

20 lines
2.6 KiB
Markdown
Raw Permalink Blame History

### [CVE-2024-45006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45006)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=4.15%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=651aaf36a7d7b36a58980e70133f9437d4f6d312%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)
### Description
In the Linux kernel, the following vulnerability has been resolved:xhci: Fix Panther point NULL pointer deref at full-speed re-enumerationre-enumerating full-speed devices after a failed address device commandcan trigger a NULL pointer dereference.Full-speed devices may need to reconfigure the endpoint 0 Max Packet Sizevalue during enumeration. Usb core calls usb_ep0_reinit() in this case,which ends up calling xhci_configure_endpoint().On Panther point xHC the xhci_configure_endpoint() function willadditionally check and reserve bandwidth in software. Other hosts dothis in hardwareIf xHC address device command fails then a new xhci_virt_device structureis allocated as part of re-enabling the slot, but the bandwidth tablepointers are not set up properly here.This triggers the NULL pointer dereference the next time usb_ep0_reinit()is called and xhci_configure_endpoint() tries to check and reservebandwidth[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd[46710.713699] usb 3-1: Device not responding to setup address.[46710.917684] usb 3-1: Device not responding to setup address.[46711.125536] usb 3-1: device not accepting address 5, error -71[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008[46711.125600] #PF: supervisor read access in kernel mode[46711.125603] #PF: error_code(0x0000) - not-present page[46711.125606] PGD 0 P4D 0[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore][46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.cFix this by making sure bandwidth table pointers are set up correctlyafter a failed address device command, and additionally by avoidingchecking for bandwidth in cases like this where no actual endpoints areadded or removed, i.e. only context for default control endpoint 0 isevaluated.
### POC
#### Reference
No PoCs from references.
#### Github
- https://github.com/ARPSyndicate/cve-scores
Reference in New Issue View Git Blame Copy Permalink