Linux Kernel USB CDC WDM Driver Read Path Vulnerability Allowing Memory Exposure

A vulnerability in the Linux kernel's USB CDC WDM driver can lead to uninitialized memory being exposed to user space. This issue arises because the update to the length of incoming data can be reordered due to compiler optimizations or CPU out-of-order execution. As a result, the read function may access the new length and attempt to copy data to the user space from an invalid memory area. This behavior violates the Linux Kernel Memory Model's data race rules.

Impact

Exploitation of this vulnerability can cause the read function to copy data from uninitialized memory to user space, potentially leading to information disclosure.

Reproduction

The vulnerability can be reproduced by using a USB device that employs the CDC WDM class. When data is sent to the device, the driver's callback function may incorrectly update the length of the received data before the actual data is moved to the buffer. This timing issue allows the read function to see an updated length and attempt to copy data to the user, but from a memory location that has not been properly initialized.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The patch is available in the Linux kernel stable tree.