Linux Kernel SuperSpeed Endpoint Companion Parsing Out-of-Bounds Read Vulnerability

A vulnerability in the Linux kernel's USB core configuration handling can lead to an out-of-bounds read. The issue arises in the 'usb_parse_ss_endpoint_companion()' function, which improperly checks the descriptor type before verifying its length. This oversight allows for potentially unsafe reads that exceed the buffer size. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can be exploited to cause an out-of-bounds read, which may lead to information disclosure or other unintended behavior by reading memory outside of the intended buffer boundaries.

Reproduction

The vulnerability can be reproduced by sending a USB SuperSpeed endpoint companion descriptor that is malformed or exceeds the expected length. The 'usb_parse_ss_endpoint_companion()' function will process the descriptor without proper validation, leading to an out-of-bounds read.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.