Linux Kernel Buffer Overflow Vulnerability in USB 9pfs Transport Layer

A buffer overflow vulnerability has been identified in the USB 9pfs transport layer of the Linux kernel. This issue arises from inconsistent size validation between packet header parsing and actual data copying, allowing a malicious USB host to overflow heap buffers. The vulnerability occurs because the function usb9pfs_rx_header() only validates the declared size in the packet header, while usb9pfs_rx_complete() uses the actual received bytes for memory copying. As a result, an attacker can craft packets with a small declared size that bypasses validation, but with a large actual payload that triggers the overflow during the copying process.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.