CVE-2024-27059

Updated: 2025-01-14 12:51:57.186315

Description:

In the Linux kernel, the following vulnerability has been resolved: USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command The isd200 sub-driver in usb-storage uses the HEADS and SECTORS values in the ATA ID information to calculate cylinder and head values when creating a CDB for READ or WRITE commands. The calculation involves division and modulus operations, which will cause a crash if either of these values is 0. While this never happens with a genuine device, it could happen with a flawed or subversive emulation, as reported by the syzbot fuzzer. Protect against this possibility by refusing to bind to the device if either the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID information is 0. This requires isd200_Initialization() to return a negative error code when initialization fails; currently it always returns 0 (even when there is an error).


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 5.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
AlmaLinux 9.2 ESU kernel 5.14.0 5.5 MEDIUM Released CLSA-2025:1743193221 2024-08-01 14:33:14
CentOS 6 ELS kernel 2.6.32 5.5 MEDIUM Ignored 2024-06-24 10:10:12
CentOS 7 ELS kernel 3.10.0 5.5 MEDIUM Ignored 2024-06-24 11:20:11
CentOS 8.4 ELS kernel 4.18.0 5.5 MEDIUM Ignored 2024-06-24 11:20:11
CentOS 8.5 ELS kernel 4.18.0 5.5 MEDIUM Ignored 2024-06-24 11:20:11
CentOS Stream 8 ELS kernel 4.18.0 5.5 MEDIUM Already Fixed 2024-06-09 14:18:42
CloudLinux 6 ELS kernel 2.6.32 5.5 MEDIUM Ignored 2024-06-24 10:10:09
CloudLinux 7 ELS kernel 3.10.0 5.5 MEDIUM Ignored 2025-01-16 04:37:55
Oracle Linux 6 ELS kernel 2.6.32 5.5 MEDIUM Ignored 2024-06-24 10:10:09
Oracle Linux 7 ELS kernel 3.10.0 5.5 MEDIUM Ignored 2025-01-16 04:37:55
Total: 14