Linux Kernel USB Gadget Control Request Size Validation Vulnerability

A vulnerability in the Linux kernel's USB gadget functionality, specifically in the 'f_uac1_legacy' audio function, has been addressed. The issue arose because the 'f_audio_complete' function improperly handled control request sizes, leading to a stack-based out-of-bounds write. This vulnerability was introduced by allowing the request length to be influenced by the host, which could overwrite adjacent memory on the stack. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to a stack-based buffer overflow, allowing for arbitrary code execution or causing a crash by overwriting the return address of a function.

Reproduction

To reproduce this vulnerability, send a USB control request to a device using the 'f_uac1_legacy' audio function. The request should include a length that exceeds the buffer size expected by the device, taking advantage of the fact that the 'length' field can be controlled by the host. This will cause the device to overwrite memory on the stack, potentially leading to code execution or a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.