Linux Kernel ChipIdea UDC Driver DMA and Scatter-Gather Buffer Mismanagement Vulnerability

A vulnerability in the ChipIdea USB Device Controller (UDC) driver of the Linux kernel can lead to "not page aligned scatter-gather buffer" errors. This issue arises when a USB device is reconnected after being disconnected during an active transfer. The problem occurs because the endpoint nuke function returns requests to the gadget layer without properly unmapping Direct Memory Access (DMA) buffers or cleaning up scatter-gather bounce buffers. When a disconnection happens during a multi-segment DMA transfer, the request's scatter-gather fields retain stale values. If the gadget driver reuses the request on reconnection without reinitializing it, the outdated DMA state can cause the hardware enqueue function to skip necessary DMA mappings and attempt to use invalid DMA addresses, potentially leading to memory corruption.

Impact

Improper handling of DMA and scatter-gather buffers can cause alignment errors and memory corruption, creating risks for exploitation such as arbitrary code execution or denial-of-service conditions.

Reproduction

To reproduce this vulnerability, initiate a multi-segment DMA transfer with a USB device using the ChipIdea UDC driver. While the transfer is active, disconnect the USB device. Then, reconnect the device without reinitializing the request in the gadget driver. This sequence will trigger the "not page aligned scatter-gather buffer" error, demonstrating the vulnerability.

Remediation

The vulnerability has been addressed by adding proper DMA unmapping and scatter-gather buffer cleanup in the endpoint nuke function. Users should apply the latest patches from the Linux kernel stable tree to mitigate this issue.