CVE-2022-48760: USB: core: Fix hang in usb_kill_urb by adding memory barriers
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Fix hang in usbkillurb by adding memory barriers
The Linux kernel CVE team has assigned CVE-2022-48760 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024062008-CVE-2022-48760-b80e@gregkh/T
Other sources
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Fix hang in usbkillurb by adding memory barriers
The syzbot fuzzer has identified a bug in which processes hang waiting for usbkillurb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received.
The reason is memory-access ordering on SMP systems. In outline form, usbkillurb() and usbhcdgivebackurb() operating concurrently on different CPUs perform the following actions:
CPU 0 CPU 1 ---------------------------- --------------------------------- usbkillurb(): usbhcdgivebackurb(): ... ... atomicinc(&urb->reject); atomicdec(&urb->usecount); ... ... waitevent(usbkillurbqueue, atomicread(&urb->usecount) == 0); if (atomicread(&urb->reject)) wakeup(&usbkillurbqueue);
Confining your attention to urb->reject and urb->usecount, you can see that the overall pattern of accesses on CPU 0 is:
write urb->reject, then read urb->usecount;
whereas the overall pattern of accesses on CPU 1 is:
write urb->usecount, then read urb->reject.
This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->usecount while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usbkillurb().
The same pattern of accesses occurs in usbpoisonurb() and the failure pathway of usbhcdsubmiturb().
The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomicinc() and atomicdec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smpmbafteratomic() memory barrier in the various routines to obtain the desired effect.
This patch adds the necessary memory barriers.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2022-48760?
CVE-2022-48760 has been classified as a moderate severity vulnerability affecting the Linux kernel.
How do I fix CVE-2022-48760?
To fix CVE-2022-48760, update your Linux kernel to version 4.4.302, 4.9.300, 4.14.265, 4.19.228, 5.4.176, 5.10.96, 5.15.19, 5.16.5, or 5.17.
What systems are affected by CVE-2022-48760?
CVE-2022-48760 affects multiple versions of the Linux kernel across various distributions.
What is the nature of the vulnerability in CVE-2022-48760?
CVE-2022-48760 relates to a hang issue in the usb_kill_urb function due to the lack of memory barriers.
Is there any workaround for CVE-2022-48760?
There are no recommended workarounds for CVE-2022-48760; updating the kernel is the best mitigation.