Linux Kernel USB Storage Memory Leak Vulnerability in Bulk Transport

A memory leak vulnerability has been identified in the Linux kernel's USB storage subsystem, specifically within the bulk transport handling. This issue arises when USB storage devices improperly skip the data phase, leading to a leakage of status protocol data into the SCSI generic interface. The vulnerability was revealed by the 'ioctl_sg01' test from the Linux Test Project (LTP), which detected the presence of the 'USBS' signature in the transfer buffer. The leak occurs because the code fails to clear the Command Status Wrapper (CSW) data after validation, allowing USB protocol information to spill into user space through /dev/sg* interfaces. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can be exploited to leak USB protocol data into user space via SCSI generic interfaces, potentially leading to unauthorized access or manipulation of USB storage device communications.

Reproduction

To reproduce this vulnerability, connect a USB storage device that is known to skip the data phase correctly. Then, run the 'ioctl_sg01' test from the Linux Test Project (LTP) suite. This test will trigger the condition that causes the memory leak by requesting 512 KiB of data, which will expose the leaked 'USBS' signature through the SCSI generic interface.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.