Linux Kernel Out-of-Bounds Read Vulnerability in CDC NCM USB Driver

A bounds-check vulnerability has been identified in the Linux kernel's CDC NCM USB driver, specifically in the function that handles the 32-bit version of the NCM Transfer Block. The issue arises because the size of the Data Payload Extension (DPE) array is validated against the total length of the socket buffer (skb) without considering the NDP offset. This oversight can lead to out-of-bounds reads, particularly when the NDP32 is positioned near the end of the NTB.

Impact

Exploitation of this vulnerability can lead to out-of-bounds read conditions, which may be leveraged to read sensitive data from memory or cause a denial-of-service by crashing the kernel.

Reproduction

The vulnerability can be reproduced by sending a USB packet that includes an NDP32 near the end of the NTB, with an offset that causes the DPE array size validation to exceed the actual length of the socket buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.