Linux Kernel USB MDC800 Download URB Timeout Handling Vulnerability

A vulnerability in the Linux kernel's USB MDC800 driver allows for improper handling of timeout events during data transfer. The issue arises in the 'mdc800_device_read' function, which submits a download URB (USB Request Block) and waits for its completion. If a timeout occurs without a response from the device, the function exits without canceling the active URB. This oversight enables a subsequent read operation to resubmit the same URB while it is still in transit, causing a warning in 'usb_submit_urb' about submitting an active URB. The vulnerability affects the Linux kernel stable group.

Impact

Exploitation of this vulnerability can lead to a warning being triggered in the USB submission process, indicating that a URB was submitted while it was still active. This could potentially be exploited to cause confusion or errors in the USB communication process, but it does not appear to create a direct security risk.

Reproduction

The vulnerability can be reproduced by initiating a read operation from a USB device using the MDC800 driver. If the device does not respond within the expected timeframe, the 'mdc800_device_read' function will return without canceling the active download URB. This leaves the URB in an active state. A subsequent read operation will then resubmit the same URB while it is still in flight, triggering the warning about submitting an active URB.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can upgrade to the latest version of the kernel to apply the fix.