Linux Kernel USB Gadget MIDI Streaming Descriptor Length Vulnerability

A vulnerability in the Linux kernel's USB gadget MIDI function has been addressed. The issue arose because the MIDI Streaming endpoint descriptors contained incorrect values for bNumEmbMIDIJack and bLength. While the MIDI jacks were properly configured, the descriptor lengths were misaligned. This discrepancy did not pose a problem when the numbers of input and output ports were equal. However, when they differed, the host received corrupted descriptors that included uninitialized stack memory, leaking into the descriptor for the smaller value. The driver generally aligns with the USB definitions of 'in' and 'out' from the host's perspective, where 'in' ports transmit data to the host and 'out' ports receive it.

Impact

The vulnerability could lead to the host receiving malformed MIDI Streaming endpoint descriptors, causing potential disruptions in MIDI data communication. More critically, it could allow uninitialized stack memory to leak into the MIDI descriptor, posing a risk of information disclosure.