CVE-2024-36950: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: firewire: ohci: mask bus reset interrupts between ISR and bottom half In the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred, mask bus reset interrupts until bus_reset_work has serviced and cleared the interrupt. Normally, we always leave bus reset interrupts masked. We infer the bus reset from the self-ID interrupt that happens shortly thereafter. A scenario where we unmask bus reset interrupts was introduced in 2008 in a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we will unmask bus reset interrupts so we can log them. irq_handler logs the bus reset interrupt. However, we can't clear the bus reset event flag in irq_handler, because we won't service the event until later. irq_handler exits with the event flag still set. If the corresponding interrupt is still unmasked, the first bus reset will usually freeze the system due to irq_handler being called again each time it exits. This freeze can be reproduced by loading firewire_ohci with "modprobe firewire_ohci debug=-1" (to enable all debugging output). Apparently there are also some cases where bus_reset_work will get called soon enough to clear the event, and operation will continue normally. This freeze was first reported a few months after a007bb85 was committed, but until now it was never fixed. The debug level could safely be set to -1 through sysfs after the module was loaded, but this would be ineffectual in logging bus reset interrupts since they were only unmasked during initialization. irq_handler will now leave the event flag set but mask bus reset interrupts, so irq_handler won't be called again and there will be no freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will unmask the interrupt after servicing the event, so future interrupts will be caught as desired. As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be enabled through sysfs in addition to during initial module loading. However, when enabled through sysfs, logging of bus reset interrupts will be effective only starting with the second bus reset, after bus_reset_work has executed.
AI Analysis
Technical Summary
CVE-2024-36950 addresses a vulnerability in the Linux kernel's FireWire OHCI (Open Host Controller Interface) driver related to the handling of bus reset interrupts. FireWire (IEEE 1394) is a high-speed serial bus interface used for data transfer, and the OHCI driver manages its hardware interrupts. The vulnerability arises from improper masking of bus reset interrupts between the interrupt service routine (ISR) and the deferred work handler (bottom half). Specifically, when the debug parameter OHCI_PARAM_DEBUG_BUSRESETS is enabled, the driver unmasks bus reset interrupts to log them. However, the interrupt handler (irq_handler) logs the interrupt but cannot clear the bus reset event flag immediately because servicing occurs later in bus_reset_work. Since the interrupt remains unmasked, the irq_handler is repeatedly invoked, causing the system to freeze due to continuous interrupt handling without resolution. This issue was introduced in 2008 and remained unpatched until now. The fix ensures that after irq_handler logs the interrupt, it masks further bus reset interrupts until bus_reset_work services and clears the event, preventing repeated interrupts and system freeze. Additionally, enabling OHCI_PARAM_DEBUG_BUSRESETS via sysfs is now possible, allowing dynamic debugging, though logging will be effective only after the second bus reset event. The vulnerability does not affect confidentiality or integrity but impacts availability by causing system freezes under specific debug configurations.
Potential Impact
For European organizations relying on Linux systems with FireWire OHCI drivers, this vulnerability primarily threatens system availability. Although FireWire usage has declined, certain industrial, multimedia, or legacy systems may still employ it. A system freeze caused by repeated bus reset interrupts can disrupt critical operations, leading to downtime and potential loss of productivity. Since exploitation requires elevated privileges (high privileges needed to set debug parameters) and specific debug settings, the risk of widespread exploitation is limited. However, in environments where debugging is enabled or where attackers gain privileged access, this vulnerability could be leveraged to cause denial-of-service conditions. European sectors with legacy hardware or specialized equipment using FireWire interfaces—such as manufacturing, broadcasting, or research institutions—may be particularly affected. The vulnerability does not expose data or allow unauthorized code execution, limiting its impact to availability concerns.
Mitigation Recommendations
Organizations should ensure their Linux kernels are updated to versions containing the patch for CVE-2024-36950. Specifically, kernel maintainers have modified the FireWire OHCI driver to mask bus reset interrupts appropriately after logging, preventing system freezes. Administrators should avoid enabling the OHCI_PARAM_DEBUG_BUSRESETS debug parameter unless necessary for troubleshooting, and if enabled, monitor systems closely for stability issues. For systems requiring FireWire functionality, consider disabling the firewire_ohci module if not in use or restricting its loading to trusted users. Additionally, implement strict privilege controls to prevent unauthorized users from modifying module parameters via sysfs. In environments with legacy hardware, evaluate the necessity of FireWire interfaces and plan for hardware upgrades or alternative connectivity solutions to reduce exposure. Regularly audit kernel versions and applied patches to maintain protection against known vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland, Poland
CVE-2024-36950: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: firewire: ohci: mask bus reset interrupts between ISR and bottom half In the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred, mask bus reset interrupts until bus_reset_work has serviced and cleared the interrupt. Normally, we always leave bus reset interrupts masked. We infer the bus reset from the self-ID interrupt that happens shortly thereafter. A scenario where we unmask bus reset interrupts was introduced in 2008 in a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we will unmask bus reset interrupts so we can log them. irq_handler logs the bus reset interrupt. However, we can't clear the bus reset event flag in irq_handler, because we won't service the event until later. irq_handler exits with the event flag still set. If the corresponding interrupt is still unmasked, the first bus reset will usually freeze the system due to irq_handler being called again each time it exits. This freeze can be reproduced by loading firewire_ohci with "modprobe firewire_ohci debug=-1" (to enable all debugging output). Apparently there are also some cases where bus_reset_work will get called soon enough to clear the event, and operation will continue normally. This freeze was first reported a few months after a007bb85 was committed, but until now it was never fixed. The debug level could safely be set to -1 through sysfs after the module was loaded, but this would be ineffectual in logging bus reset interrupts since they were only unmasked during initialization. irq_handler will now leave the event flag set but mask bus reset interrupts, so irq_handler won't be called again and there will be no freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will unmask the interrupt after servicing the event, so future interrupts will be caught as desired. As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be enabled through sysfs in addition to during initial module loading. However, when enabled through sysfs, logging of bus reset interrupts will be effective only starting with the second bus reset, after bus_reset_work has executed.
AI-Powered Analysis
Technical Analysis
CVE-2024-36950 addresses a vulnerability in the Linux kernel's FireWire OHCI (Open Host Controller Interface) driver related to the handling of bus reset interrupts. FireWire (IEEE 1394) is a high-speed serial bus interface used for data transfer, and the OHCI driver manages its hardware interrupts. The vulnerability arises from improper masking of bus reset interrupts between the interrupt service routine (ISR) and the deferred work handler (bottom half). Specifically, when the debug parameter OHCI_PARAM_DEBUG_BUSRESETS is enabled, the driver unmasks bus reset interrupts to log them. However, the interrupt handler (irq_handler) logs the interrupt but cannot clear the bus reset event flag immediately because servicing occurs later in bus_reset_work. Since the interrupt remains unmasked, the irq_handler is repeatedly invoked, causing the system to freeze due to continuous interrupt handling without resolution. This issue was introduced in 2008 and remained unpatched until now. The fix ensures that after irq_handler logs the interrupt, it masks further bus reset interrupts until bus_reset_work services and clears the event, preventing repeated interrupts and system freeze. Additionally, enabling OHCI_PARAM_DEBUG_BUSRESETS via sysfs is now possible, allowing dynamic debugging, though logging will be effective only after the second bus reset event. The vulnerability does not affect confidentiality or integrity but impacts availability by causing system freezes under specific debug configurations.
Potential Impact
For European organizations relying on Linux systems with FireWire OHCI drivers, this vulnerability primarily threatens system availability. Although FireWire usage has declined, certain industrial, multimedia, or legacy systems may still employ it. A system freeze caused by repeated bus reset interrupts can disrupt critical operations, leading to downtime and potential loss of productivity. Since exploitation requires elevated privileges (high privileges needed to set debug parameters) and specific debug settings, the risk of widespread exploitation is limited. However, in environments where debugging is enabled or where attackers gain privileged access, this vulnerability could be leveraged to cause denial-of-service conditions. European sectors with legacy hardware or specialized equipment using FireWire interfaces—such as manufacturing, broadcasting, or research institutions—may be particularly affected. The vulnerability does not expose data or allow unauthorized code execution, limiting its impact to availability concerns.
Mitigation Recommendations
Organizations should ensure their Linux kernels are updated to versions containing the patch for CVE-2024-36950. Specifically, kernel maintainers have modified the FireWire OHCI driver to mask bus reset interrupts appropriately after logging, preventing system freezes. Administrators should avoid enabling the OHCI_PARAM_DEBUG_BUSRESETS debug parameter unless necessary for troubleshooting, and if enabled, monitor systems closely for stability issues. For systems requiring FireWire functionality, consider disabling the firewire_ohci module if not in use or restricting its loading to trusted users. Additionally, implement strict privilege controls to prevent unauthorized users from modifying module parameters via sysfs. In environments with legacy hardware, evaluate the necessity of FireWire interfaces and plan for hardware upgrades or alternative connectivity solutions to reduce exposure. Regularly audit kernel versions and applied patches to maintain protection against known vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.079Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeb096
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 12:26:28 PM
Last updated: 8/6/2025, 4:54:58 PM
Views: 8
Related Threats
CVE-2025-43731: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-7693: CWE-20: Improper Input Validation in Rockwell Automation PLC - Micro850 L50E
CriticalCVE-2025-55293: CWE-287: Improper Authentication in meshtastic firmware
CriticalCVE-2025-55300: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in komari-monitor komari
HighCVE-2025-55299: CWE-521: Weak Password Requirements in 7ritn VaulTLS
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.