CVE-2024-36950: firewire: ohci: mask bus reset interrupts between ISR and bottom half
In the Linux kernel, the following vulnerability has been resolved:
firewire: ohci: mask bus reset interrupts between ISR and bottom half
In the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred, mask bus reset interrupts until busresetwork has serviced and cleared the interrupt.
Normally, we always leave bus reset interrupts masked. We infer the bus reset from the self-ID interrupt that happens shortly thereafter. A scenario where we unmask bus reset interrupts was introduced in 2008 in a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCIPARAMDEBUGBUSRESETS (8) is set in the debug parameter bitmask, we will unmask bus reset interrupts so we can log them.
irqhandler logs the bus reset interrupt. However, we can't clear the bus reset event flag in irqhandler, because we won't service the event until later. irqhandler exits with the event flag still set. If the corresponding interrupt is still unmasked, the first bus reset will usually freeze the system due to irqhandler being called again each time it exits. This freeze can be reproduced by loading firewireohci with "modprobe firewireohci debug=-1" (to enable all debugging output). Apparently there are also some cases where busresetwork will get called soon enough to clear the event, and operation will continue normally.
This freeze was first reported a few months after a007bb85 was committed, but until now it was never fixed. The debug level could safely be set to -1 through sysfs after the module was loaded, but this would be ineffectual in logging bus reset interrupts since they were only unmasked during initialization.
irqhandler will now leave the event flag set but mask bus reset interrupts, so irqhandler won't be called again and there will be no freeze. If OHCIPARAMDEBUGBUSRESETS is enabled, busresetwork will unmask the interrupt after servicing the event, so future interrupts will be caught as desired.
As a side effect to this change, OHCIPARAMDEBUGBUSRESETS can now be enabled through sysfs in addition to during initial module loading. However, when enabled through sysfs, logging of bus reset interrupts will be effective only starting with the second bus reset, after busresetwork has executed.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
firewire: ohci: mask bus reset interrupts between ISR and bottom half
The Linux kernel CVE team has assigned CVE-2024-36950 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024053040-CVE-2024-36950-9f0e@gregkh/T
— Red Hat
Linux Kernel is vulnerable to a denial of service, caused by an error related to mask bus reset interrupts between ISR and bottom half. A local attacker could exploit this vulnerability to cause a denial of service.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-36950?
CVE-2024-36950 has been classified as having a moderate severity level.
How do I fix CVE-2024-36950?
To fix CVE-2024-36950, upgrade to one of the specified kernel versions: 4.19.314, 5.4.276, 5.10.217, 5.15.159, 6.1.91, 6.6.31, 6.8.10, or 6.9.
What impact does CVE-2024-36950 have on my system?
CVE-2024-36950 can lead to improper handling of FireWire bus reset interrupts, affecting system stability.
Which Linux kernel versions are affected by CVE-2024-36950?
Affected versions include kernel versions prior to 4.19.314, 5.4.276, 5.10.217, 5.15.159, 6.1.91, 6.6.31, 6.8.10, and 6.9.
Is CVE-2024-36950 specific to any Linux distribution?
Yes, CVE-2024-36950 primarily affects Red Hat and Debian-based systems using the specified kernel versions.