PT-2024-36996 · Linux+6 · Linux Kernel+6

Hubert Wiśniewski

·

Published

2024-11-10

·

Updated

2025-10-03

·

CVE-2024-56687

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A hardware lockup issue has been identified in the Linux kernel, specifically in the MUSB (Media Universal Serial Bus) driver. This issue can occur when a request's callback is invoked from within the usb ep queue() function, which can create deadlock situations. The problem arises when the gadget is initialized and a packet arrives, setting the RXPKTRDY flag and raising an interrupt. If IRQs (Interrupt Requests) are enabled during the complete callback, the endpoint can become locked up, preventing further packets from being received. This issue is particularly relevant to the USB Ethernet gadget, where the rx complete() callback calls netif rx(), which can disable and then re-enable IRQs. The situation is complex, involving multiple components and potential workarounds.
Recommendations To resolve this issue, consider the following approaches:
  1. Ensure that callbacks never enable IRQs, although this might be challenging to enforce due to the complexity of interactions between netif rx() and interrupts.
  2. Disable MUSB interrupts in musb g giveback() before calling the callback and re-enable them afterward to prevent MUSB interrupts from being handled during the callback.
  3. Modify the interrupt handler to clear the RXPKTRDY flag if the request queue is empty, although this approach may waste CPU time.
  4. Flush the Rx FIFO instead of calling rxstate() in musb ep restart() to ensure the hardware can receive packets when there is at least one request in the queue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Locking

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-667

Related Identifiers

ALSA-2025_12746
ALSA-2025_12752
ALSA-2025_12753
ALSA-2025_16880
ALT-PU-2024-17893
ALT-PU-2025-12647
BDU:2025-04133
CVE-2024-56687
DLA-4076-1
OESA-2025-1093
OESA-2025-1097
OPENSUSE-SU-2025_0428-1
OPENSUSE-SU-2025_0499-1
OPENSUSE-SU-2025_0557-1
SUSE-SU-2025:0289-1
SUSE-SU-2025:0428-1
SUSE-SU-2025:0499-1
SUSE-SU-2025:0557-1
SUSE-SU-2025:20165-1
SUSE-SU-2025:20166-1
SUSE-SU-2025:20248-1
SUSE-SU-2025:20249-1
SUSE-SU-2025_0428-1
SUSE-SU-2025_0499-1
SUSE-SU-2025_0557-1
USN-7276-1
USN-7277-1
USN-7310-1
USN-7449-1
USN-7449-2
USN-7450-1
USN-7451-1
USN-7452-1
USN-7453-1
USN-7468-1
USN-7523-1
USN-7524-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu