Linux Kernel AQC111 Driver Error Handling Vulnerability

A vulnerability in the Linux kernel's AQC111 USB driver has been addressed, following its identification by Syzkaller. The issue stemmed from inadequate validation of USB read call results, which is reminiscent of a previously resolved problem in the ASIX driver. Specifically, the usbnet_read_cmd() function could read fewer bytes than specified, while the aqc111_read_cmd() function failed to properly assess the read results. This oversight could lead to incomplete initialization of the MAC address in the aqc111_bind() function, causing KMSAN warnings. The vulnerability has been fixed by ensuring that the read byte count meets expectations.

Impact

Exploitation of this vulnerability could result in uninitialized memory being used, as indicated by KMSAN warnings, potentially leading to undefined behavior or information leakage.

Reproduction

The vulnerability can be reproduced by loading a USB device that uses the AQC111 driver and observing the KMSAN warnings related to uninitialized values. This occurs because the driver does not correctly handle errors from USB read operations, allowing for incomplete data to be processed.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been fixed.