CVE-2024-57981 (GCVE-0-2024-57981)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-05-04 10:07
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix NULL pointer dereference on certain command aborts If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes.
References
Impacted products
Vendor Product Version
Linux Linux Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/xhci-ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fd8bfaeba4a85b14427899adec0efb3954300653",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "b44253956407046e5907d4d72c8fa5b93ae94485",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "cf30300a216a4f8dce94e11781a866a09d4b50d4",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "4ff18870af793ce2034a6ad746e91d0a3d985b88",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "b649f0d5bc256f691c7d234c3986685d54053de1",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "0ce5c0dac768be14afe2426101b568a0f66bfc4d",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "1e0a19912adb68a4b2b74fd77001c96cd83eb073",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/xhci-ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix NULL pointer dereference on certain command aborts\n\nIf a command is queued to the final usable TRB of a ring segment, the\nenqueue pointer is advanced to the subsequent link TRB and no further.\nIf the command is later aborted, when the abort completion is handled\nthe dequeue pointer is advanced to the first TRB of the next segment.\n\nIf no further commands are queued, xhci_handle_stopped_cmd_ring() sees\nthe ring pointers unequal and assumes that there is a pending command,\nso it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.\n\nDon\u0027t attempt timer setup if cur_cmd is NULL. The subsequent doorbell\nring likely is unnecessary too, but it\u0027s harmless. Leave it alone.\n\nThis is probably Bug 219532, but no confirmation has been received.\n\nThe issue has been independently reproduced and confirmed fixed using\na USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.\nEverything continued working normally after several prevented crashes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:39.555Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653"
        },
        {
          "url": "https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073"
        }
      ],
      "title": "usb: xhci: Fix NULL pointer dereference on certain command aborts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57981",
    "datePublished": "2025-02-27T02:07:07.489Z",
    "dateReserved": "2025-02-27T02:04:28.913Z",
    "dateUpdated": "2025-05-04T10:07:39.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-57981\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T02:15:11.293\",\"lastModified\":\"2025-03-13T13:15:43.150\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: xhci: Fix NULL pointer dereference on certain command aborts\\n\\nIf a command is queued to the final usable TRB of a ring segment, the\\nenqueue pointer is advanced to the subsequent link TRB and no further.\\nIf the command is later aborted, when the abort completion is handled\\nthe dequeue pointer is advanced to the first TRB of the next segment.\\n\\nIf no further commands are queued, xhci_handle_stopped_cmd_ring() sees\\nthe ring pointers unequal and assumes that there is a pending command,\\nso it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.\\n\\nDon\u0027t attempt timer setup if cur_cmd is NULL. The subsequent doorbell\\nring likely is unnecessary too, but it\u0027s harmless. Leave it alone.\\n\\nThis is probably Bug 219532, but no confirmation has been received.\\n\\nThe issue has been independently reproduced and confirmed fixed using\\na USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.\\nEverything continued working normally after several prevented crashes.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: xhci: Fix NULL pointer dereference on certain command aborts Si un comando se pone en cola en el TRB utilizable final de un segmento de anillo, el puntero de encolado avanza al TRB de enlace posterior y no m\u00e1s all\u00e1. Si el comando se aborta m\u00e1s tarde, cuando se maneja la finalizaci\u00f3n del aborto, el puntero de desencolado avanza al primer TRB del siguiente segmento. Si no se ponen en cola m\u00e1s comandos, xhci_handle_stopped_cmd_ring() ve que los punteros de anillo son desiguales y supone que hay un comando pendiente, por lo que llama a xhci_mod_cmd_timer() que se bloquea si cur_cmd era NULL. No intente configurar el temporizador si cur_cmd es NULL. El timbre de puerta posterior probablemente tambi\u00e9n sea innecesario, pero es inofensivo. D\u00e9jelo en paz. Probablemente se trate del error 219532, pero no se ha recibido confirmaci\u00f3n. El problema se ha reproducido de forma independiente y se ha confirmado que se ha solucionado utilizando una MCU USB programada para anular la etapa de estado de SET_ADDRESS para siempre. Todo sigui\u00f3 funcionando normalmente despu\u00e9s de varios fallos evitados.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.16\",\"versionEndExcluding\":\"6.1.129\",\"matchCriteriaId\":\"9244F393-9DC7-4BC2-A176-D235D5853C12\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.76\",\"matchCriteriaId\":\"A6D70701-9CB6-4222-A957-00A419878993\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.13\",\"matchCriteriaId\":\"2897389C-A8C3-4D69-90F2-E701B3D66373\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.2\",\"matchCriteriaId\":\"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.