Linux Kernel USB Usbtmc Driver Direction Mismanagement Vulnerability for 0-Length Ioctl Control Messages

A vulnerability has been identified in the Linux kernel USB Test & Measurement Class (USBTMC) driver. When a user sends an ioctl request for a control transfer of zero length, the driver fails to verify that the direction is correctly set to OUT. This oversight can lead to a mismatch between the control direction and the expected request type, potentially causing issues in USB communication.

Impact

The vulnerability can cause improper handling of USB control messages, leading to control direction errors that may disrupt normal USB operations.

Reproduction

The vulnerability can be reproduced by sending an ioctl request with a 0-length control transfer to the USBTMC driver. This can be done using a fuzzer like syzbot, which has already identified and reported this issue. The control message will be processed incorrectly, generating a warning about the bogus control direction.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.