Linux Kernel USB Gadget Function f_mass_storage Integer Overflow Vulnerability

A potential integer overflow vulnerability has been identified in the Linux kernel's USB gadget function for mass storage. The issue arises in the 'check_command_size_in_blocks()' function, which calculates data size by left-shifting 'common->data_size_from_cmnd' by the block size. This operation lacks proper validation, allowing a malicious USB host to send SCSI commands that request excessive data. The resulting overflow can truncate the data size, bypass boundary checks, and lead to memory corruption or out-of-bounds access.

Impact

Exploitation of this vulnerability can cause memory corruption or out-of-bounds accesses, potentially leading to arbitrary code execution or causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a SCSI READ or WRITE command from a USB host to the Linux device, specifying a large amount of data that exceeds the normal limits. This will trigger the integer overflow in the 'check_command_size_in_blocks()' function, allowing the command to bypass data size checks and cause memory corruption.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been patched. The patch is included in the official Linux kernel repositories.