CVE-2024-40927: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: xhci: Handle TD clearing for multiple streams case When multiple streams are in use, multiple TDs might be in flight when an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for each, to ensure everything is reset properly and the caches cleared. Change the logic so that any N>1 TDs found active for different streams are deferred until after the first one is processed, calling xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to queue another command until we are done with all of them. Also change the error/"should never happen" paths to ensure we at least clear any affected TDs, even if we can't issue a command to clear the hardware cache, and complain loudly with an xhci_warn() if this ever happens. This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") early on in the XHCI driver's life, when stream support was first added. It was then identified but not fixed nor made into a warning in commit 674f8438c121 ("xhci: split handling halted endpoints into two steps"), which added a FIXME comment for the problem case (without materially changing the behavior as far as I can tell, though the new logic made the problem more obvious). Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs."), it was acknowledged again. [Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") was a targeted regression fix to the previously mentioned patch. Users reported issues with usb stuck after unmounting/disconnecting UAS devices. This rolled back the TD clearing of multiple streams to its original state.] Apparently the commit author was aware of the problem (yet still chose to submit it): It was still mentioned as a FIXME, an xhci_dbg() was added to log the problem condition, and the remaining issue was mentioned in the commit description. The choice of making the log type xhci_dbg() for what is, at this point, a completely unhandled and known broken condition is puzzling and unfortunate, as it guarantees that no actual users would see the log in production, thereby making it nigh undebuggable (indeed, even if you turn on DEBUG, the message doesn't really hint at there being a problem at all). It took me *months* of random xHC crashes to finally find a reliable repro and be able to do a deep dive debug session, which could all have been avoided had this unhandled, broken condition been actually reported with a warning, as it should have been as a bug intentionally left in unfixed (never mind that it shouldn't have been left in at all). > Another fix to solve clearing the caches of all stream rings with > cancelled TDs is needed, but not as urgent. 3 years after that statement and 14 years after the original bug was introduced, I think it's finally time to fix it. And maybe next time let's not leave bugs unfixed (that are actually worse than the original bug), and let's actually get people to review kernel commits please. Fixes xHC crashes and IOMMU faults with UAS devices when handling errors/faults. Easiest repro is to use `hdparm` to mark an early sector (e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop. At least in the case of JMicron controllers, the read errors end up having to cancel two TDs (for two queued requests to different streams) and the one that didn't get cleared properly ends up faulting the xHC entirely when it tries to access DMA pages that have since been unmapped, referred to by the stale TDs. This normally happens quickly (after two or three loops). After this fix, I left the `cat` in a loop running overnight and experienced no xHC failures, with all read errors recovered properly. Repro'd and tested on an Apple M1 Mac Mini (dwc3 host). On systems without an IOMMU, this bug would instead silently corrupt freed memory, making this a ---truncated---
AI Analysis
Technical Summary
CVE-2024-40927 is a vulnerability in the Linux kernel's xHCI (Extensible Host Controller Interface) USB driver related to the handling of Transfer Descriptors (TDs) when multiple USB streams are active on an endpoint. The issue arises because when an endpoint is stopped, multiple TDs may still be in flight across different streams, and the driver must issue a Set TR Dequeue Pointer command for each TD to properly reset hardware caches and clear the state. The vulnerability stems from a long-standing bug dating back approximately 14 years, where the logic did not correctly handle multiple active TDs, leading to stale TDs remaining in hardware caches. This can cause the xHCI controller to access DMA pages that have been unmapped, resulting in crashes or faults. On systems without an IOMMU, this leads to silent memory corruption of freed memory, potentially causing system instability or arbitrary code execution. The bug was acknowledged in several kernel commits but left unfixed or only partially addressed, with debug logs suppressed, making it difficult to detect and diagnose. The fix involves changing the logic to defer processing of multiple TDs until all are cleared, ensuring proper cache invalidation and hardware state reset. The vulnerability can be reliably reproduced by inducing read errors on USB Attached SCSI (UAS) devices, such as marking disk sectors as bad and repeatedly reading them, which triggers cancellation of multiple TDs and exposes the flaw. The fix has been tested on hardware including Apple M1 Mac Mini with dwc3 host controllers, showing elimination of xHCI crashes and proper error recovery. This vulnerability affects Linux kernel versions from the commit where stream support was introduced and remains present until patched. It impacts systems using USB 3.x controllers with multiple streams, particularly those using UAS devices and certain USB controllers like JMicron. The vulnerability can cause system crashes, IOMMU faults, memory corruption, and potentially arbitrary code execution due to use-after-free conditions in kernel memory.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the stability and security of Linux-based systems that utilize USB 3.x devices, especially those employing UAS for storage or other high-throughput USB peripherals. The impact includes potential system crashes leading to denial of service, data corruption, and in worst cases, exploitation of memory corruption to execute arbitrary code with kernel privileges. This could disrupt critical infrastructure, enterprise servers, and endpoint devices running Linux, which is widely used in European governments, research institutions, and businesses. Organizations relying on USB-attached storage or devices with multiple USB streams are particularly vulnerable. The vulnerability could be exploited locally or via malicious USB devices, or triggered by faulty hardware or software causing repeated USB errors. Given the widespread use of Linux in European data centers, cloud providers, and embedded systems, the vulnerability could affect a broad range of sectors including finance, healthcare, manufacturing, and public administration. The silent nature of memory corruption on systems without IOMMU complicates detection and remediation, increasing the risk of persistent compromise or data loss.
Mitigation Recommendations
1. Apply the official Linux kernel patch that addresses CVE-2024-40927 as soon as it is available and integrated into your distribution's kernel updates. 2. For organizations managing large fleets, prioritize patching systems that use USB 3.x controllers with UAS devices or multiple USB streams. 3. Implement strict USB device control policies to limit the use of untrusted or unknown USB devices, reducing the risk of triggering the vulnerability via malicious peripherals. 4. Enable and monitor kernel debug logs related to xHCI and USB errors to detect anomalous behavior indicative of this issue prior to patching. 5. Where possible, enable IOMMU support to mitigate the risk of memory corruption by isolating DMA accesses, although this is not a complete fix. 6. Conduct thorough testing of USB device error handling in controlled environments to identify potential triggers of the vulnerability. 7. Educate system administrators and security teams about this vulnerability to ensure rapid response and incident handling. 8. Consider using USB device whitelisting or endpoint security solutions that can detect or block abnormal USB traffic patterns associated with multiple stream TD cancellations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-40927: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: xhci: Handle TD clearing for multiple streams case When multiple streams are in use, multiple TDs might be in flight when an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for each, to ensure everything is reset properly and the caches cleared. Change the logic so that any N>1 TDs found active for different streams are deferred until after the first one is processed, calling xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to queue another command until we are done with all of them. Also change the error/"should never happen" paths to ensure we at least clear any affected TDs, even if we can't issue a command to clear the hardware cache, and complain loudly with an xhci_warn() if this ever happens. This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") early on in the XHCI driver's life, when stream support was first added. It was then identified but not fixed nor made into a warning in commit 674f8438c121 ("xhci: split handling halted endpoints into two steps"), which added a FIXME comment for the problem case (without materially changing the behavior as far as I can tell, though the new logic made the problem more obvious). Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs."), it was acknowledged again. [Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") was a targeted regression fix to the previously mentioned patch. Users reported issues with usb stuck after unmounting/disconnecting UAS devices. This rolled back the TD clearing of multiple streams to its original state.] Apparently the commit author was aware of the problem (yet still chose to submit it): It was still mentioned as a FIXME, an xhci_dbg() was added to log the problem condition, and the remaining issue was mentioned in the commit description. The choice of making the log type xhci_dbg() for what is, at this point, a completely unhandled and known broken condition is puzzling and unfortunate, as it guarantees that no actual users would see the log in production, thereby making it nigh undebuggable (indeed, even if you turn on DEBUG, the message doesn't really hint at there being a problem at all). It took me *months* of random xHC crashes to finally find a reliable repro and be able to do a deep dive debug session, which could all have been avoided had this unhandled, broken condition been actually reported with a warning, as it should have been as a bug intentionally left in unfixed (never mind that it shouldn't have been left in at all). > Another fix to solve clearing the caches of all stream rings with > cancelled TDs is needed, but not as urgent. 3 years after that statement and 14 years after the original bug was introduced, I think it's finally time to fix it. And maybe next time let's not leave bugs unfixed (that are actually worse than the original bug), and let's actually get people to review kernel commits please. Fixes xHC crashes and IOMMU faults with UAS devices when handling errors/faults. Easiest repro is to use `hdparm` to mark an early sector (e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop. At least in the case of JMicron controllers, the read errors end up having to cancel two TDs (for two queued requests to different streams) and the one that didn't get cleared properly ends up faulting the xHC entirely when it tries to access DMA pages that have since been unmapped, referred to by the stale TDs. This normally happens quickly (after two or three loops). After this fix, I left the `cat` in a loop running overnight and experienced no xHC failures, with all read errors recovered properly. Repro'd and tested on an Apple M1 Mac Mini (dwc3 host). On systems without an IOMMU, this bug would instead silently corrupt freed memory, making this a ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-40927 is a vulnerability in the Linux kernel's xHCI (Extensible Host Controller Interface) USB driver related to the handling of Transfer Descriptors (TDs) when multiple USB streams are active on an endpoint. The issue arises because when an endpoint is stopped, multiple TDs may still be in flight across different streams, and the driver must issue a Set TR Dequeue Pointer command for each TD to properly reset hardware caches and clear the state. The vulnerability stems from a long-standing bug dating back approximately 14 years, where the logic did not correctly handle multiple active TDs, leading to stale TDs remaining in hardware caches. This can cause the xHCI controller to access DMA pages that have been unmapped, resulting in crashes or faults. On systems without an IOMMU, this leads to silent memory corruption of freed memory, potentially causing system instability or arbitrary code execution. The bug was acknowledged in several kernel commits but left unfixed or only partially addressed, with debug logs suppressed, making it difficult to detect and diagnose. The fix involves changing the logic to defer processing of multiple TDs until all are cleared, ensuring proper cache invalidation and hardware state reset. The vulnerability can be reliably reproduced by inducing read errors on USB Attached SCSI (UAS) devices, such as marking disk sectors as bad and repeatedly reading them, which triggers cancellation of multiple TDs and exposes the flaw. The fix has been tested on hardware including Apple M1 Mac Mini with dwc3 host controllers, showing elimination of xHCI crashes and proper error recovery. This vulnerability affects Linux kernel versions from the commit where stream support was introduced and remains present until patched. It impacts systems using USB 3.x controllers with multiple streams, particularly those using UAS devices and certain USB controllers like JMicron. The vulnerability can cause system crashes, IOMMU faults, memory corruption, and potentially arbitrary code execution due to use-after-free conditions in kernel memory.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the stability and security of Linux-based systems that utilize USB 3.x devices, especially those employing UAS for storage or other high-throughput USB peripherals. The impact includes potential system crashes leading to denial of service, data corruption, and in worst cases, exploitation of memory corruption to execute arbitrary code with kernel privileges. This could disrupt critical infrastructure, enterprise servers, and endpoint devices running Linux, which is widely used in European governments, research institutions, and businesses. Organizations relying on USB-attached storage or devices with multiple USB streams are particularly vulnerable. The vulnerability could be exploited locally or via malicious USB devices, or triggered by faulty hardware or software causing repeated USB errors. Given the widespread use of Linux in European data centers, cloud providers, and embedded systems, the vulnerability could affect a broad range of sectors including finance, healthcare, manufacturing, and public administration. The silent nature of memory corruption on systems without IOMMU complicates detection and remediation, increasing the risk of persistent compromise or data loss.
Mitigation Recommendations
1. Apply the official Linux kernel patch that addresses CVE-2024-40927 as soon as it is available and integrated into your distribution's kernel updates. 2. For organizations managing large fleets, prioritize patching systems that use USB 3.x controllers with UAS devices or multiple USB streams. 3. Implement strict USB device control policies to limit the use of untrusted or unknown USB devices, reducing the risk of triggering the vulnerability via malicious peripherals. 4. Enable and monitor kernel debug logs related to xHCI and USB errors to detect anomalous behavior indicative of this issue prior to patching. 5. Where possible, enable IOMMU support to mitigate the risk of memory corruption by isolating DMA accesses, although this is not a complete fix. 6. Conduct thorough testing of USB device error handling in controlled environments to identify potential triggers of the vulnerability. 7. Educate system administrators and security teams about this vulnerability to ensure rapid response and incident handling. 8. Consider using USB device whitelisting or endpoint security solutions that can detect or block abnormal USB traffic patterns associated with multiple stream TD cancellations.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.583Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe13e4
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:12:11 AM
Last updated: 8/15/2025, 7:04:27 PM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.