Linux Kernel Phonet Gadget USB Fragments Overflow Vulnerability

A vulnerability in the Linux kernel's USB gadget function for Phonet can lead to a heap overflow. This issue arises when a USB host sends an excessive number of full-page OUT transfers. The Phonet gadget does not properly reset the received socket buffer (skb) when the host consistently transmits PAGE_SIZE bytes, causing an accumulation of fragments. Once the number of fragments exceeds the maximum limit, it overwrites adjacent memory on the heap. The vulnerability has been addressed by modifying the fragment handling to prevent overflow.

Impact

Exploitation of this vulnerability can lead to a heap overflow, allowing for potential memory corruption.

Reproduction

The vulnerability can be reproduced by connecting a USB host that sends continuous full-page OUT transfers to a device running the affected Linux kernel version with the Phonet gadget enabled. Monitor the device's memory management to observe the fragment overflow once the maximum fragment limit is exceeded.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been fixed.