Linux Kernel Pegasus USB Driver Endpoint Validation Vulnerability

A vulnerability exists in the Linux kernel's Pegasus USB driver, where the function 'pegasus_probe()' populates USB Request Blocks (URBs) with fixed endpoint pipes without validating the endpoint descriptors. This issue affects the Linux kernel stable tree and can be exploited by a malformed USB device that presents incorrect transfer types, leading to potential miscommunication between the device and the driver.

Impact

The vulnerability could allow a malformed USB device to disrupt normal driver operations by presenting incorrect endpoint transfer types, potentially leading to improper data handling or communication errors.

Reproduction

The vulnerability can be reproduced by connecting a malformed USB device to a system running an affected version of the Linux kernel. The device must present endpoint descriptors that do not match the expected transfer types, such as using incorrect pipes for bulk or interrupt transfers. Once the device is connected, the 'pegasus_probe()' function will be called, filling the URBs with the hardcoded endpoint pipes without any verification. This can be observed by monitoring the USB communication between the device and the system, where the mismatched transfer types could cause errors or unexpected behavior.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.