Linux Kernel Pegasus Notetaker Driver Out-of-Bounds Access Vulnerability

A vulnerability has been identified in the Linux kernel's Pegasus Notetaker driver, specifically in the pegasus_probe() function. This function allocates a USB Request Block (URB) transfer buffer based on the wMaxPacketSize value from the endpoint descriptor. An attacker can exploit this by using a malicious USB descriptor to force the allocation of an inadequately small buffer. If the device then sends an interrupt packet with a certain pattern—such as a byte value of 0x80 or 0x42—the pegasus_parse_packet() function will parse the packet without verifying the size of the allocated buffer. This oversight results in an out-of-bounds memory access, potentially leading to memory corruption or other unintended behavior.

Impact

Exploitation of this vulnerability causes an out-of-bounds memory access, which can lead to memory corruption or other unintended behaviors.

Reproduction

To reproduce this vulnerability, load the Pegasus Notetaker driver and connect a device that can send a malicious USB descriptor. The device should be configured to allocate a very small buffer in the driver. Once the driver has allocated the buffer, the device can send an interrupt packet with a specific pattern, such as a byte value of 0x80 or 0x42. The pegasus_parse_packet() function will then parse the packet without checking the buffer size, causing an out-of-bounds access.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation.