CVE-2024-38567

2024-06-1914:15:16

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

wifi vulnerability

cve-2024-38567

sanity check

endpoint

syzkaller

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

wifi: carl9170: add a proper sanity check for endpoints

Syzkaller reports [1] hitting a warning which is caused by presence
of a wrong endpoint type at the URB sumbitting stage. While there
was a check for a specific 4th endpoint, since it can switch types
between bulk and interrupt, other endpoints are trusted implicitly.
Similar warning is triggered in a couple of other syzbot issues [2].

Fix the issue by doing a comprehensive check of all endpoints
taking into account difference between high- and full-speed
configuration.

[1] Syzkaller report:
…
WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
…
Call Trace:
<TASK>
carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504
carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]
carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]
carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028
request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107
process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
worker_thread+0x669/0x1090 kernel/workqueue.c:2436
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>

[2] Related syzkaller crashes:

Affected configurations

Vulners

Node

linuxlinux_kernelRange2.6.37–4.19.316

linuxlinux_kernelRange4.20.0–5.4.278

linuxlinux_kernelRange5.5.0–5.10.219

linuxlinux_kernelRange5.11.0–5.15.161

linuxlinux_kernelRange5.16.0–6.1.93

linuxlinux_kernelRange6.2.0–6.6.33

linuxlinux_kernelRange6.7.0–6.8.12

linuxlinux_kernelRange6.9.0–6.9.3

linuxlinux_kernelRange6.10.0–6.10-rc1

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/wireless/ath/carl9170/usb.c"
    ],
    "versions": [
      {
        "version": "a84fab3cbfdc",
        "lessThan": "eb0f2fc3ff58",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a84fab3cbfdc",
        "lessThan": "ac3ed46a8741",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a84fab3cbfdc",
        "lessThan": "8650725bb0a4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a84fab3cbfdc",
        "lessThan": "6a9892bf24c9",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a84fab3cbfdc",
        "lessThan": "265c3cda471c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a84fab3cbfdc",
        "lessThan": "62eb07923f36",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a84fab3cbfdc",
        "lessThan": "03ddc74bdfd7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a84fab3cbfdc",
        "lessThan": "0fa08a55201a",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a84fab3cbfdc",
        "lessThan": "b6dd09b3dac8",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/wireless/ath/carl9170/usb.c"
    ],
    "versions": [
      {
        "version": "2.6.37",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.37",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.316",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.278",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.219",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.161",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.93",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.33",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.12",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.3",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10-rc1",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]