CVE-2024-36950 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
firewire: ohci: mask bus reset interrupts between ISR and bottom half
In the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred, mask bus reset interrupts until bus_reset_work has serviced and cleared the interrupt.
Normally, we always leave bus reset interrupts masked. We infer the bus reset from the self-ID interrupt that happens shortly thereafter. A scenario where we unmask bus reset interrupts was introduced in 2008 in a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we will unmask bus reset interrupts so we can log them.
irq_handler logs the bus reset interrupt. However, we can't clear the bus reset event flag in irq_handler, because we won't service the event until later. irq_handler exits with the event flag still set. If the corresponding interrupt is still unmasked, the first bus reset will usually freeze the system due to irq_handler being called again each time it exits. This freeze can be reproduced by loading firewire_ohci with "modprobe firewire_ohci debug=-1" (to enable all debugging output). Apparently there are also some cases where bus_reset_work will get called soon enough to clear the event, and operation will continue normally.
This freeze was first reported a few months after a007bb85 was committed, but until now it was never fixed. The debug level could safely be set to -1 through sysfs after the module was loaded, but this would be ineffectual in logging bus reset interrupts since they were only unmasked during initialization.
irq_handler will now leave the event flag set but mask bus reset interrupts, so irq_handler won't be called again and there will be no freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will unmask the interrupt after servicing the event, so future interrupts will be caught as desired.
As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be enabled through sysfs in addition to during initial module loading. However, when enabled through sysfs, logging of bus reset interrupts will be effective only starting with the second bus reset, after bus_reset_work has executed.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/17/2025
The vulnerability described in CVE-2024-36950 resides within the Linux kernel's FireWire OHCI (Open Host Controller Interface) driver implementation, specifically addressing an interrupt handling flaw that could lead to system freezes. This issue affects the firewire_ohci module which manages FireWire bus operations through OHCI-compliant controllers. The vulnerability manifests when bus reset interrupts are improperly managed during the interrupt service routine execution, creating a condition where the system becomes unresponsive due to recursive interrupt handling.
The technical flaw stems from a design change introduced in 2008 through commit a007bb857e0b26f5d8b73c2ff90782d9c0972620, which allowed bus reset interrupts to be unmasked when the OHCI_PARAM_DEBUG_BUSRESETS parameter was enabled in the debug bitmask. During normal operation, the system maintains bus reset interrupts in a masked state, inferring bus reset events from subsequent self-ID interrupts. However, when debugging is enabled, the interrupt handling logic creates a race condition where the irq_handler function logs the bus reset interrupt but cannot clear the event flag immediately. This leaves the interrupt flag set while the interrupt remains unmasked, causing the interrupt handler to be invoked repeatedly upon each exit, ultimately leading to system freeze.
This vulnerability directly relates to CWE-129, which describes improper validation of array indices, and CWE-362, concerning concurrent execution of potentially conflicting threads or processes. The flaw also maps to ATT&CK technique T1059.003, where adversaries might exploit such interrupt handling issues to create system instability or denial of service conditions. The interrupt handling mechanism fails to properly synchronize the interrupt state between the top half (irq_handler) and bottom half (bus_reset_work) of the interrupt processing, creating a dangerous condition where interrupt masking and unmasking operations are not properly coordinated.
The operational impact of this vulnerability is significant for systems utilizing FireWire hardware, particularly those running Linux kernels with the firewire_ohci module. When the debug parameter is enabled through module loading with "modprobe firewire_ohci debug=-1", the system becomes vulnerable to immediate freeze upon the first bus reset event. The freeze occurs because the interrupt handler continuously re-enters without proper clearing of the interrupt condition, effectively locking up the system's interrupt processing mechanism. This issue affects both the stability of the operating system and the reliability of FireWire device operations, potentially causing data loss or system crashes during normal device usage scenarios.
The fix implemented addresses the core synchronization issue by modifying the interrupt handling flow so that irq_handler leaves the event flag set while properly masking bus reset interrupts, preventing the recursive invocation that leads to system freeze. The solution ensures that bus_reset_work function handles the interrupt clearing and can unmask the interrupt only after processing the event, maintaining proper separation between interrupt handling phases. This change also enables the OHCI_PARAM_DEBUG_BUSRESETS parameter to be effectively configured through sysfs after module loading, rather than being limited to initialization time. However, the debugging capability will only become effective starting from the second bus reset event after bus_reset_work has executed, as the first interrupt processing cycle requires the proper interrupt state management to be established.
The mitigation approach follows best practices for interrupt handling in kernel space by ensuring proper state management between interrupt context and bottom half processing. This fix aligns with kernel security guidelines that emphasize preventing recursive interrupt handling and maintaining system stability under all operational conditions. The solution maintains backward compatibility while eliminating the freeze condition, ensuring that FireWire systems can operate reliably with debugging capabilities enabled through sysfs without risking system instability. The implementation demonstrates proper kernel development practices for managing interrupt state transitions and handling edge cases in hardware driver development, particularly in scenarios involving debugging parameters that modify interrupt behavior.