{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-46675", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-09-11T15:12:18.247Z", "datePublished": "2024-09-13T05:29:10.987Z", "dateUpdated": "2024-09-15T17:57:24.582Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-09-15T17:57:24.582Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: Prevent USB core invalid event buffer address access\n\nThis commit addresses an issue where the USB core could access an\ninvalid event buffer address during runtime suspend, potentially causing\nSMMU faults and other memory issues in Exynos platforms. The problem\narises from the following sequence.\n 1. In dwc3_gadget_suspend, there is a chance of a timeout when\n moving the USB core to the halt state after clearing the\n run/stop bit by software.\n 2. In dwc3_core_exit, the event buffer is cleared regardless of\n the USB core's status, which may lead to an SMMU faults and\n other memory issues. if the USB core tries to access the event\n buffer address.\n\nTo prevent this hardware quirk on Exynos platforms, this commit ensures\nthat the event buffer address is not cleared by software when the USB\ncore is active during runtime suspend by checking its status before\nclearing the buffer address."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/dwc3/core.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "eca3f543f817", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "d2afc2bffec7", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "b72da4d89b97", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "111277b881de", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "2189fd13c577", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "7bb11a75dd4d", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "e23f6ad8d110", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "14e497183df2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/dwc3/core.c"], "versions": [{"version": "4.19.321", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.4.283", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.225", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.166", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.108", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.49", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10.8", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/eca3f543f817da87c00d1a5697b473efb548204f"}, {"url": "https://git.kernel.org/stable/c/d2afc2bffec77316b90d530b07695e3f534df914"}, {"url": "https://git.kernel.org/stable/c/b72da4d89b97da71e056cc4d1429b2bc426a9c2f"}, {"url": "https://git.kernel.org/stable/c/111277b881def3153335acfe0d1f43e6cd83ac93"}, {"url": "https://git.kernel.org/stable/c/2189fd13c577d7881f94affc09c950a795064c4b"}, {"url": "https://git.kernel.org/stable/c/7bb11a75dd4d3612378b90e2a4aa49bdccea28ab"}, {"url": "https://git.kernel.org/stable/c/e23f6ad8d110bf632f7471482e10b43dc174fb72"}, {"url": "https://git.kernel.org/stable/c/14e497183df28c006603cc67fd3797a537eef7b9"}], "title": "usb: dwc3: core: Prevent USB core invalid event buffer address access", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5131A29D-7B39-48FD-A512-B4599B486AB6", "versionEndExcluding": "4.19.321", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E6B390A-0CE6-44FC-8CD5-BE8226D6D24C", "versionEndExcluding": "5.4.283", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57B46A9-B105-4792-8481-1870DEFB436A", "versionEndExcluding": "5.10.225", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "913ED6CD-8ACF-48AF-AA18-7880881DD402", "versionEndExcluding": "5.15.166", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5BE381-F079-43D9-AEF2-931856B13219", "versionEndExcluding": "6.1.108", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1191B7F1-F275-45F5-9E82-A012FF517BFA", "versionEndExcluding": "6.6.49", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B5D46C3-56A4-4380-9309-27BF73DF29A7", "versionEndExcluding": "6.10.8", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*", "matchCriteriaId": "E0005AEF-856E-47EB-BFE4-90C46899394D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*", "matchCriteriaId": "39889A68-6D34-47A6-82FC-CD0BF23D6754", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*", "matchCriteriaId": "B8383ABF-1457-401F-9B61-EE50F4C61F4F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: Prevent USB core invalid event buffer address access\n\nThis commit addresses an issue where the USB core could access an\ninvalid event buffer address during runtime suspend, potentially causing\nSMMU faults and other memory issues in Exynos platforms. The problem\narises from the following sequence.\n 1. In dwc3_gadget_suspend, there is a chance of a timeout when\n moving the USB core to the halt state after clearing the\n run/stop bit by software.\n 2. In dwc3_core_exit, the event buffer is cleared regardless of\n the USB core's status, which may lead to an SMMU faults and\n other memory issues. if the USB core tries to access the event\n buffer address.\n\nTo prevent this hardware quirk on Exynos platforms, this commit ensures\nthat the event buffer address is not cleared by software when the USB\ncore is active during runtime suspend by checking its status before\nclearing the buffer address."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc3: core: Impedir el acceso a una direcci\u00f3n de b\u00fafer de eventos no v\u00e1lida del n\u00facleo USB Esta confirmaci\u00f3n soluciona un problema en el que el n\u00facleo USB podr\u00eda acceder a una direcci\u00f3n de b\u00fafer de eventos no v\u00e1lida durante la suspensi\u00f3n en tiempo de ejecuci\u00f3n, lo que podr\u00eda provocar fallos de SMMU y otros problemas de memoria en las plataformas Exynos. El problema surge de la siguiente secuencia. 1. En dwc3_gadget_suspend, existe la posibilidad de que se agote el tiempo de espera al mover el n\u00facleo USB al estado de detenci\u00f3n despu\u00e9s de borrar el bit de ejecuci\u00f3n/detenci\u00f3n por software. 2. En dwc3_core_exit, el b\u00fafer de eventos se borra independientemente del estado del n\u00facleo USB, lo que puede provocar fallos de SMMU y otros problemas de memoria si el n\u00facleo USB intenta acceder a la direcci\u00f3n del b\u00fafer de eventos. Para evitar esta peculiaridad del hardware en las plataformas Exynos, esta confirmaci\u00f3n garantiza que el software no borre la direcci\u00f3n del b\u00fafer de eventos cuando el n\u00facleo USB est\u00e9 activo durante la suspensi\u00f3n en tiempo de ejecuci\u00f3n comprobando su estado antes de borrar la direcci\u00f3n del b\u00fafer."}], "id": "CVE-2024-46675", "lastModified": "2024-09-20T17:18:48.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-13T06:15:12.117", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/111277b881def3153335acfe0d1f43e6cd83ac93"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/14e497183df28c006603cc67fd3797a537eef7b9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2189fd13c577d7881f94affc09c950a795064c4b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7bb11a75dd4d3612378b90e2a4aa49bdccea28ab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b72da4d89b97da71e056cc4d1429b2bc426a9c2f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d2afc2bffec77316b90d530b07695e3f534df914"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e23f6ad8d110bf632f7471482e10b43dc174fb72"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eca3f543f817da87c00d1a5697b473efb548204f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: usb: dwc3: core: Prevent USB core invalid event buffer address access", "id": "2312063", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312063"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: dwc3: core: Prevent USB core invalid event buffer address access\nThis commit addresses an issue where the USB core could access an\ninvalid event buffer address during runtime suspend, potentially causing\nSMMU faults and other memory issues in Exynos platforms. The problem\narises from the following sequence.\n1. In dwc3_gadget_suspend, there is a chance of a timeout when\nmoving the USB core to the halt state after clearing the\nrun/stop bit by software.\n2. In dwc3_core_exit, the event buffer is cleared regardless of\nthe USB core's status, which may lead to an SMMU faults and\nother memory issues. if the USB core tries to access the event\nbuffer address.\nTo prevent this hardware quirk on Exynos platforms, this commit ensures\nthat the event buffer address is not cleared by software when the USB\ncore is active during runtime suspend by checking its status before\nclearing the buffer address."], "name": "CVE-2024-46675", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-09-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-46675\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46675\nhttps://lore.kernel.org/linux-cve-announce/2024091335-CVE-2024-46675-ba70@gregkh/T"], "threat_severity": "Low"}