CVE-2022-48760 USB: core: Fix hang in usb_kill_urb by adding memory barriers

2024-06-2011:13:38

Linux

github.com

linux kernel

usb core

memory barriers

vulnerability

smp systems

memory-access ordering

memory barriers enforcement

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix hang in usb_kill_urb by adding memory barriers

The syzbot fuzzer has identified a bug in which processes hang waiting
for usb_kill_urb() to return. It turns out the issue is not unlinking
the URB; that works just fine. Rather, the problem arises when the
wakeup notification that the URB has completed is not received.

The reason is memory-access ordering on SMP systems. In outline form,
usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on
different CPUs perform the following actions:

CPU 0 CPU 1

usb_kill_urb(): __usb_hcd_giveback_urb():
… …
atomic_inc(&urb->reject); atomic_dec(&urb->use_count);
… …
wait_event(usb_kill_urb_queue,
atomic_read(&urb->use_count) == 0);
if (atomic_read(&urb->reject))
wake_up(&usb_kill_urb_queue);

Confining your attention to urb->reject and urb->use_count, you can
see that the overall pattern of accesses on CPU 0 is:

write urb-&gt;reject, then read urb-&gt;use_count;

whereas the overall pattern of accesses on CPU 1 is:

write urb-&gt;use_count, then read urb-&gt;reject.

This pattern is referred to in memory-model circles as SB (for “Store
Buffering”), and it is well known that without suitable enforcement of
the desired order of accesses – in the form of memory barriers – it
is entirely possible for one or both CPUs to execute their reads ahead
of their writes. The end result will be that sometimes CPU 0 sees the
old un-decremented value of urb->use_count while CPU 1 sees the old
un-incremented value of urb->reject. Consequently CPU 0 ends up on
the wait queue and never gets woken up, leading to the observed hang
in usb_kill_urb().

The same pattern of accesses occurs in usb_poison_urb() and the
failure pathway of usb_hcd_submit_urb().

The problem is fixed by adding suitable memory barriers. To provide
proper memory-access ordering in the SB pattern, a full barrier is
required on both CPUs. The atomic_inc() and atomic_dec() accesses
themselves don’t provide any memory ordering, but since they are
present, we can use the optimized smp_mb__after_atomic() memory
barrier in the various routines to obtain the desired effect.

This patch adds the necessary memory barriers.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "5f138ef224df",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "b50f5ca60475",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "546ba238535d",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "5904dfd3ddaf",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "9c61fce322ac",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "e3b131e30e61",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "9340226388c6",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "c9a18f7c5b07",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "26fbe9772b8c",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "drivers/usb/core/hcd.c",
      "drivers/usb/core/urb.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "unaffected",
        "version": "4.4.302",
        "versionType": "custom",
        "lessThanOrEqual": "4.4.*"
      },
      {
        "status": "unaffected",
        "version": "4.9.300",
        "versionType": "custom",
        "lessThanOrEqual": "4.9.*"
      },
      {
        "status": "unaffected",
        "version": "4.14.265",
        "versionType": "custom",
        "lessThanOrEqual": "4.14.*"
      },
      {
        "status": "unaffected",
        "version": "4.19.228",
        "versionType": "custom",
        "lessThanOrEqual": "4.19.*"
      },
      {
        "status": "unaffected",
        "version": "5.4.176",
        "versionType": "custom",
        "lessThanOrEqual": "5.4.*"
      },
      {
        "status": "unaffected",
        "version": "5.10.96",
        "versionType": "custom",
        "lessThanOrEqual": "5.10.*"
      },
      {
        "status": "unaffected",
        "version": "5.15.19",
        "versionType": "custom",
        "lessThanOrEqual": "5.15.*"
      },
      {
        "status": "unaffected",
        "version": "5.16.5",
        "versionType": "custom",
        "lessThanOrEqual": "5.16.*"
      },
      {
        "status": "unaffected",
        "version": "5.17",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "drivers/usb/core/hcd.c",
      "drivers/usb/core/urb.c"
    ],
    "defaultStatus": "affected"
  }
]