Linux Kernel Kaweth Driver TX Queue Vulnerability in RX Mode Handling

A vulnerability has been identified in the Linux kernel's kaweth USB driver, specifically in the handling of transmission (TX) queues within the receive (RX) mode configuration. The issue arises because the ndo_set_rx_mode callback improperly manipulates the TX queue flow control, which is unrelated to RX multicast settings. This mismanagement can lead to a double submission of the same USB Request Block (URB), causing a warning that indicates a URB was submitted while it was still active. The vulnerability is present in several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause a warning to be triggered in the USB subsystem, indicating that a URB was submitted while it was still active. This could potentially lead to undefined behavior or instability in the system.

Reproduction

To reproduce this vulnerability, the kaweth USB driver must be loaded and a network device using this driver must be configured. The vulnerability can then be triggered by setting the RX mode, which will cause the driver to improperly manage the TX queue. This can be done by manually invoking the kaweth_set_rx_mode function in the context of a network device that is currently transmitting data.

Remediation

Users can update to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.