CVE-2024-26934 Overview
CVE-2024-26934 is a deadlock vulnerability in the Linux kernel's USB core subsystem, specifically in the usb_deauthorize_interface() function located in drivers/usb/core/sysfs.c. This vulnerability occurs due to improper locking mechanisms when handling USB interface authorization through sysfs attribute callbacks, creating a race condition that can lead to system deadlocks.
The vulnerability manifests when the interface_authorized_store() function acquires a device lock on an ancestor device by calling usb_deauthorize_interface(), which locks the interface's parent USB device. If another process already owns that lock and attempts to remove the interface (through configuration changes or device disconnection), a deadlock occurs because device_del() waits for all ongoing sysfs attribute callbacks to complete, while usb_deauthorize_interface() cannot complete until the device lock is released.
Critical Impact
Local attackers with low privileges can trigger system deadlock conditions by manipulating USB interface authorization states, potentially causing denial of service on affected Linux systems.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 6.9-r1
- Systems using USB core subsystem with sysfs interface authorization
Discovery Timeline
- May 1, 2024 - CVE-2024-26934 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-26934
Vulnerability Analysis
This deadlock vulnerability (CWE-667: Improper Locking) resides in the USB core's sysfs attribute handling code. The interface_authorized_store() function is unique among the attribute file callback routines in that it acquires a device lock on an ancestor device rather than the immediate device being operated upon.
The problematic code path involves the following sequence: when a user writes to the authorized sysfs attribute of a USB interface, the interface_authorized_store() callback invokes usb_deauthorize_interface(). This function then attempts to acquire a lock on the interface's parent USB device. The fundamental issue is that this locking pattern creates a circular dependency when device removal is initiated.
During the removal procedure, device_del() blocks waiting for all ongoing sysfs attribute callbacks to complete before proceeding. However, if usb_deauthorize_interface() is mid-execution and waiting for the device lock (which is held by the removal process), neither operation can complete, resulting in a deadlock.
Root Cause
The root cause is the absence of proper lock protection mechanisms in the sysfs attribute callback. The kernel provides sysfs_break_active_protection() specifically to prevent this class of deadlock by informing sysfs that it should not wait for the attribute callback to complete. The vulnerable code failed to utilize this mechanism, allowing the circular lock dependency to form.
The fix implements sysfs_break_active_protection() to break the deadlock cycle by telling sysfs not to wait for the attribute callback when device removal is in progress.
Attack Vector
This is a local attack vector requiring low privileges. An attacker with access to the USB sysfs interface can trigger the deadlock through the following mechanism:
The exploitation involves racing two operations: writing to /sys/bus/usb/devices/<device>/interface_authorized while simultaneously triggering a USB device disconnection or configuration change. The attacker must be able to access USB sysfs attributes, which typically requires local access to the system. When the race condition is won, the system enters a deadlock state where the affected processes become unresponsive, potentially requiring a system reboot to recover.
The vulnerability was reported and tested by Yue Sun (samsun1006219@gmail.com) and also reported by xingwei lee (xrivendell7@gmail.com).
Detection Methods for CVE-2024-26934
Indicators of Compromise
- System processes becoming unresponsive when USB devices are connected or disconnected
- Kernel log messages indicating lock contention in USB subsystem code paths
- Hung tasks related to usb_deauthorize_interface or interface_authorized_store functions
- System hangs occurring during USB device enumeration or removal operations
Detection Strategies
- Monitor for hung task warnings in kernel logs mentioning USB sysfs or interface authorization
- Implement system watchdog mechanisms to detect and alert on potential deadlock conditions
- Use kernel lockdep (lock dependency validator) to identify potential deadlock scenarios during testing
- Review system logs for unusual patterns of USB-related process stalls
Monitoring Recommendations
- Configure kernel hung task detection with appropriate timeout thresholds
- Enable lockdep debugging in development and testing environments to catch lock ordering violations
- Monitor system resource utilization for signs of process starvation
- Implement automated alerting for kernel panic or soft lockup conditions
How to Mitigate CVE-2024-26934
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the deadlock fix
- On systems where immediate patching is not possible, restrict access to USB sysfs interface authorization attributes
- Monitor systems for signs of deadlock conditions and prepare for potential service restarts
- Review and audit any automation scripts that interact with USB sysfs attributes
Patch Information
The Linux kernel maintainers have released patches addressing this vulnerability across multiple stable kernel branches. The fix implements sysfs_break_active_protection() to prevent the deadlock scenario. The following kernel commits contain the fix:
- Linux Kernel Commit 07acf97
- Linux Kernel Commit 122a06f
- Linux Kernel Commit 12d6a56
- Linux Kernel Commit 1b175bc
- Linux Kernel Commit 80ba43e
Additional distribution-specific advisories have been released by Debian LTS (2024-06-17) and Debian LTS (2024-06-20).
Workarounds
- Restrict access to USB sysfs attributes by modifying udev rules to limit permissions on /sys/bus/usb/devices/*/authorized files
- Implement process isolation for services that interact with USB devices to contain potential deadlock impacts
- Use SELinux or AppArmor policies to restrict which processes can write to USB authorization attributes
- Consider disabling USB hotplug functionality on critical systems where it is not required
# Restrict USB interface authorization sysfs access
# Add to /etc/udev/rules.d/99-usb-security.rules
SUBSYSTEM=="usb", ATTR{authorized}=="*", MODE="0644", GROUP="root"
# Alternatively, use chmod to restrict access (temporary)
chmod 600 /sys/bus/usb/devices/*/authorized
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
