In the Linux kernel, the following vulnerability has been resolved:
firewire: ohci: mask bus reset interrupts between ISR and bottom half In
the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred,
mask bus reset interrupts until bus_reset_work has serviced and cleared the
interrupt. Normally, we always leave bus reset interrupts masked. We infer
the bus reset from the self-ID interrupt that happens shortly thereafter. A
scenario where we unmask bus reset interrupts was introduced in 2008 in
a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCI_PARAM_DEBUG_BUSRESETS (8)
is set in the debug parameter bitmask, we will unmask bus reset interrupts
so we can log them. irq_handler logs the bus reset interrupt. However, we
can’t clear the bus reset event flag in irq_handler, because we won’t
service the event until later. irq_handler exits with the event flag still
set. If the corresponding interrupt is still unmasked, the first bus reset
will usually freeze the system due to irq_handler being called again each
time it exits. This freeze can be reproduced by loading firewire_ohci with
“modprobe firewire_ohci debug=-1” (to enable all debugging output).
Apparently there are also some cases where bus_reset_work will get called
soon enough to clear the event, and operation will continue normally. This
freeze was first reported a few months after a007bb85 was committed, but
until now it was never fixed. The debug level could safely be set to -1
through sysfs after the module was loaded, but this would be ineffectual in
logging bus reset interrupts since they were only unmasked during
initialization. irq_handler will now leave the event flag set but mask bus
reset interrupts, so irq_handler won’t be called again and there will be no
freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will
unmask the interrupt after servicing the event, so future interrupts will
be caught as desired. As a side effect to this change,
OHCI_PARAM_DEBUG_BUSRESETS can now be enabled through sysfs in addition to
during initial module loading. However, when enabled through sysfs, logging
of bus reset interrupts will be effective only starting with the second bus
reset, after bus_reset_work has executed.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
git.kernel.org/linus/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9 (6.9-rc3)
git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec
git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420
git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0
git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d
git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9
git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61
git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130
git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c
launchpad.net/bugs/cve/CVE-2024-36950
nvd.nist.gov/vuln/detail/CVE-2024-36950
security-tracker.debian.org/tracker/CVE-2024-36950
www.cve.org/CVERecord?id=CVE-2024-36950