CVE-2024-26934: USB: core: Fix deadlock in usb_deauthorize_interface()
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Fix deadlock in usbdeauthorizeinterface()
Among the attribute file callback routines in drivers/usb/core/sysfs.c, the interfaceauthorizedstore() function is the only one which acquires a device lock on an ancestor device: It calls usbdeauthorizeinterface(), which locks the interface's parent USB device.
The will lead to deadlock if another process already owns that lock and tries to remove the interface, whether through a configuration change or because the device has been disconnected. As part of the removal procedure, devicedel() waits for all ongoing sysfs attribute callbacks to complete. But usbdeauthorizeinterface() can't complete until the device lock has been released, and the lock won't be released until the removal has finished.
The mechanism provided by sysfs to prevent this kind of deadlock is to use the sysfsbreakactiveprotection() function, which tells sysfs not to wait for the attribute callback.
Reported-and-tested by: Yue Sun <samsun1006219@gmail.com> Reported by: xingwei lee <xrivendell7@gmail.com>
Other sources
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Fix deadlock in usbdeauthorizeinterface()
The Linux kernel CVE team has assigned CVE-2024-26934 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024050123-CVE-2024-26934-e2fc@gregkh/T
— Red Hat
Linux Kernel is vulnerable to a denial of service, caused by a deadlock in usbdeauthorizeinterface(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-26934?
CVE-2024-26934 has a high severity due to the potential for deadlock within the USB subsystem of the Linux kernel.
How do I fix CVE-2024-26934?
To fix CVE-2024-26934, update your kernel to versions 4.19.312, 5.4.274, 5.10.215, 5.15.154, 6.1.84, 6.6.24, 6.7.12, 6.8.3, or 6.9.
Which versions of the Linux kernel are affected by CVE-2024-26934?
CVE-2024-26934 affects multiple versions of the Linux kernel prior to 4.19.312, 5.4.274, 5.10.215, 5.15.154, 6.1.84, 6.6.24, 6.7.12, 6.8.3, and 6.9.
What is the impact of CVE-2024-26934?
CVE-2024-26934 can lead to a deadlock situation when performing specific USB interface authorization actions.
Who is responsible for patching CVE-2024-26934?
It is the responsibility of the system administrators and maintainers to apply the necessary patches provided by Linux kernel maintainers.