Linux Kernel USB CDC Phonet Driver SKB Fragments Overflow Vulnerability

A vulnerability in the Linux kernel's USB CDC Phonet modem driver can lead to an overflow of the skb_shared_info->frags[] array. This occurs when a malicious USB device sends an unbounded sequence of full-page bulk transfers. The vulnerability has been addressed by modifying the driver to drop the skb (socket buffer) and increment the length error when the fragment limit is reached, preventing the overflow. This fix is consistent with a previous correction made for the T7XX driver, which also dealt with a potential skb->frags overflow in the receive path.

Impact

Exploitation of this vulnerability can cause a buffer overflow in the skb_shared_info->frags[] array, leading to memory corruption.

Reproduction

To reproduce this vulnerability, connect a malicious USB device that emulates a CDC Phonet modem to a system running an affected version of the Linux kernel. The device can then send a continuous stream of full-page bulk transfers. Monitor the system for signs of memory corruption or instability, which would indicate that the skb frags overflow has occurred.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.