Linux Kernel Out-of-Bounds Read Vulnerability in CDC NCM USB Driver

A vulnerability has been identified in the Linux kernel's USB CDC NCM driver, specifically in the handling of NDP16 frames. The issue arises in the 'cdc_ncm_rx_verify_ndp16' function, which checks that the NDP header and its associated DPE entries fit within the provided socket buffer (skb). While the initial check correctly considers the NDP offset, the subsequent validation of the DPE array size against the total skb length fails to account for this offset. As a result, when the NDP is positioned near the end of the NTB, the DPE entries can overflow the skb data buffer, leading to an out-of-bounds memory read. This vulnerability has been addressed by modifying the bounds check to include the NDP offset and by using a clearer representation of the NDP and DPE array size.

Impact

Exploitation of this vulnerability allows for out-of-bounds memory reads, which can potentially lead to information disclosure or other memory corruption issues.

Reproduction

The vulnerability can be reproduced by sending NDP16 frames with a large NDP index that places the NDP near the end of the NTB. This will cause the DPE entries to extend beyond the skb data buffer, allowing 'cdc_ncm_rx_fixup' to read out-of-bounds memory while processing the DPE array.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.