Linux Kernel Out-of-Bounds Access Vulnerability in AQC111 USB Driver

A vulnerability in the Linux kernel's AQC111 USB driver has been identified, involving multiple out-of-bounds accesses in the RX fixup function. These accesses can be triggered by a malicious or defective USB device, leading to out-of-bounds reads and, on big-endian systems, out-of-bounds endianness flips. The vulnerability allows a packet to overlap the metadata array, causing data corruption in a cloned SKB that has already been processed by the network stack. Additionally, a crafted packet SKB can extend beyond its allocated tail, exposing out-of-bounds heap data as if it were part of the SKB's data.

Impact

Exploitation of this vulnerability causes out-of-bounds reads, out-of-bounds endianness flips, and corruption of SKB data in the network stack.

Reproduction

The vulnerability can be reproduced by using a malicious or defective USB device that triggers the AQC111 RX fixup function. This can be tested with a different driver, such as AX88179_178A, by simulating the conditions that cause the out-of-bounds accesses.