In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Check for xhci->interrupters being allocated in xhcimemclearup()
If xhcimeminit() fails, it calls into xhcimemcleanup() to mop up the damage. If it fails early enough, before xhci->interrupters is allocated but after xhci->maxinterrupters has been set, which happens in most (all?) cases, things get uglier, as xhcimem_cleanup() unconditionally derefences xhci->interrupters. With prejudice.
Gate the interrupt freeing loop with a check on xhci->interrupters being non-NULL.
Found while debugging a DMA allocation issue that led the XHCI driver on this exact path.
[ { "signature_type": "Line", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dcdb52d948f3a17ccd3fce757d9bd981d7c32039", "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci-mem.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "270044312960083192166376075781682775640", "219438842430514541939330669177517706539", "51149530502100398821924097602795560423", "191108415903795924974810151675203211631" ] }, "id": "CVE-2024-45027-002bb0ae" }, { "signature_type": "Line", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efb29f6a78d4746f958c1ab6cd7981c5762f03b", "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci-mem.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "270044312960083192166376075781682775640", "219438842430514541939330669177517706539", "51149530502100398821924097602795560423", "191108415903795924974810151675203211631" ] }, "id": "CVE-2024-45027-412db1d8" }, { "signature_type": "Function", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efb29f6a78d4746f958c1ab6cd7981c5762f03b", "signature_version": "v1", "target": { "function": "xhci_mem_cleanup", "file": "drivers/usb/host/xhci-mem.c" }, "digest": { "function_hash": "128206838070738479443965937980028688469", "length": 2930.0 }, "id": "CVE-2024-45027-41fd12ef" }, { "signature_type": "Line", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@770cacc75b0091ece17349195d72133912c1ca7c", "signature_version": "v1", "target": { "file": "drivers/usb/host/xhci-mem.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "270044312960083192166376075781682775640", "219438842430514541939330669177517706539", "51149530502100398821924097602795560423", "191108415903795924974810151675203211631" ] }, "id": "CVE-2024-45027-623c83e5" }, { "signature_type": "Function", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@770cacc75b0091ece17349195d72133912c1ca7c", "signature_version": "v1", "target": { "function": "xhci_mem_cleanup", "file": "drivers/usb/host/xhci-mem.c" }, "digest": { "function_hash": "295353154782053523457577276018416631818", "length": 2870.0 }, "id": "CVE-2024-45027-9fc4a351" }, { "signature_type": "Function", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dcdb52d948f3a17ccd3fce757d9bd981d7c32039", "signature_version": "v1", "target": { "function": "xhci_mem_cleanup", "file": "drivers/usb/host/xhci-mem.c" }, "digest": { "function_hash": "295353154782053523457577276018416631818", "length": 2870.0 }, "id": "CVE-2024-45027-cf1d1804" } ]