Linux Kernel ALSA USB Audio UAC3 Header Validation Vulnerability

A vulnerability in the Linux kernel's ALSA USB audio subsystem has been addressed. The issue arose because the validator for the UAC3 AC header descriptor was incorrectly set to UAC_VERSION_2 instead of UAC_VERSION_3. This misconfiguration caused the validator to fail for actual UAC3 devices, allowing their header descriptors to bypass validation. Consequently, a malicious USB device could exploit this flaw by presenting a truncated UAC3 header, leading to out-of-bounds reads when the driver accessed the unvalidated descriptor fields.

Impact

Exploitation of this vulnerability could result in out-of-bounds read operations, potentially causing memory corruption or allowing for the disclosure of sensitive information.

Reproduction

The vulnerability can be reproduced by connecting a malicious USB device that presents a truncated UAC3 header to a system running an affected version of the Linux kernel. The device will be able to bypass header validation, allowing for out-of-bounds reads when the driver accesses the unvalidated descriptor fields.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.