Linux Kernel gs_usb Driver USB Submission Error Handling Vulnerability

A vulnerability has been identified in the Linux kernel's gs_usb driver, specifically in the handling of USB request blocks (URBs) during bulk data reception. The issue arises because, after a recent patch intended to prevent memory leaks by re-anchoring URBs before submission, the possibility of submission errors was not considered. When usb_submit_urb() fails, the URB remains anchored, causing an infinite loop in the cleanup process as the anchor list never empties. This vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability leads to a denial-of-service condition, where the system becomes unresponsive due to an infinite loop in the gs_can_close() function, caused by the improperly managed URB anchoring.

Reproduction

The vulnerability can be reproduced by using a gs_usb device that triggers a failure in the usb_submit_urb() function. This will cause the URB to remain anchored, and when the gs_can_close() function is called, it will enter an infinite loop, effectively hanging the system.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree, which unanchors the URB in case of a submission error and adds a log message regarding the failure. Instructions for downloading this patched version are available on the Linux kernel's official website.