Linux Kernel ath9k Endpoint0 Attribute Overwrite Vulnerability

A vulnerability in the Linux kernel's ath9k wireless driver allows a malicious USB device to improperly modify attributes of ENDPOINT0, which is reserved for the HTC_CTRL_RSVD_SVC. This issue arises because the driver did not correctly validate service connection responses, allowing unauthorized changes to a protected endpoint. The vulnerability has been addressed by rejecting such improper service connection responses.

Impact

Exploitation of this vulnerability could lead to improper handling of USB service connections, potentially allowing for unauthorized modifications to reserved endpoint attributes.

Reproduction

The vulnerability can be reproduced by sending a service connection response from a USB device that targets ENDPOINT0 with an invalid service connection message. This can be automated using the Syzkaller fuzzer, which is designed to discover such vulnerabilities by sending crafted messages that exploit the driver's lack of proper endpoint validation.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability. The specific commit that resolves the issue is 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142.