Linux Kernel USB CDC-ACM Out-of-Bounds Write Vulnerability

A vulnerability in the Linux kernel's USB CDC-ACM driver can lead to out-of-bounds writes, causing memory corruption. This issue arises because the driver does not properly check the size of control transfer buffers before accessing them. When notifications are fragmented, the first fragment may not provide a complete header, allowing for manipulation of the expected size and resulting in data being written outside the allocated memory. The vulnerability has been present since the introduction of fragmented notification reassembly in version 4.12, but only recently began causing memory corruption. Exploitation requires sending carefully crafted fragmented notifications over USB, particularly on devices running ModemManager, which can automatically open the relevant device files.

Impact

Exploitation of this vulnerability can lead to memory corruption, with the potential for arbitrary code execution, according to Project Zero.

Reproduction

The vulnerability can be reproduced on a Linux kernel built with KASAN (Kernel Address Sanitizer), and with the USB dummy host controller enabled. After compiling and running a custom C program that sends fragmented USB notifications, the issue can be triggered by opening the corresponding device file, which will result in a KASAN report of a slab-out-of-bounds write, indicating that data has been written outside the allocated memory bounds, a clear sign of memory corruption.

Remediation

The vulnerability has been fixed in the mainline Linux kernel and in several stable branches, including 6.13.4, 6.12.16, 6.6.79, and 6.1.129. Users should upgrade to these versions.