Linux Kernel cdc_ncm Component dwNtbOutMaxSize Value Vulnerability Causes Denial-of-Service

A denial-of-service vulnerability has been identified in the Linux kernel's cdc_ncm component. The issue arises when the dwNtbOutMaxSize parameter is set too low, leading to memory allocation problems. Specifically, if dwNtbOutMaxSize is greater than zero but lower than the calculated minimum value, the transmission maximum is incorrectly set, causing allocated memory to be misaligned. This misalignment can result in a kernel panic due to buffer overflow errors, as the allocated space for CDC data becomes insufficient.

Impact

The vulnerability causes a kernel panic, disrupting system operations and potentially leading to a crash.

Reproduction

The vulnerability can be reproduced by configuring a device to use the cdc_ncm driver and setting the dwNtbOutMaxSize parameter to a value that is low but greater than zero. This misconfiguration will trigger the issue by causing the driver to allocate insufficient memory for data transmission, which can be exacerbated by adding elements to the SKB header that increase its size, further reducing the available space for CDC data.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.