Preface: The DWC3 is Synopsys IP providing a SuperSpeed USB 3.0 controller. This Synopsys DesignWare USB3 controller IP has proved to be very popular and is in use ranging from various Arm SoCs from Samsung and TI to Qualcomm platforms. DWC3 is also used by various platforms from both Intel and AMD.

Background:

EN_ENDXFER_ON_RJCT_STRM: Enable bit for new reject stream flow. On receiving a reject stream(FFFF) on USB side, Controller updates the application SW with STREAMEVT_NOTFOUND with streamid as FFFF, On decoding this event application SW needs to apply an ENDXFER command which flushes all FIFO’s .

Until an ENDXFER is issued, Any stream packet received(on USB) will not lead to search of available streams in cache and release of ERDY. Controller writes STREAM_NOT_FOUND events until ENDXFER completion.

[ – 0: Feature disabled. No Reject status is updated to application SW.] 

[ – 1: Feature enabled, Reject status is updated on receiving a reject stream(on USB).Decoding this event application SW needs to apply an ENDXFER.]

Note: By default, this bit is set to 0.

Vulnerability details: usb: dwc3: Wait unconditionally after issuing EndXfer command Currently all controller IP/revisions except DWC3_usb3 >= 310a wait 1ms unconditionally for ENDXFER completion when IOC is not set.

Severity: Critical

Official announcement: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36977