Linux Kernel USB usbtmc Driver Timeout Vulnerability

A vulnerability in the Linux kernel's usbtmc driver allows users to specify arbitrary timeout values through an ioctl command. The driver then uses these values in some usb_bulk_msg() calls, which can lead to unkillable waits. This behavior creates a risk of hanging a kernel thread indefinitely. The vulnerability has been addressed by modifying the driver to use usb_bulk_msg_killable() instead, allowing for user-specified timeouts without the risk of causing an unresponsive kernel thread.

Impact

Exploitation of this vulnerability could lead to a denial-of-service condition, where a kernel thread is hung indefinitely, potentially causing system instability or unresponsiveness.

Reproduction

The vulnerability can be reproduced by sending an ioctl command to the usbtmc driver with a user-specified timeout value. If the timeout value is set arbitrarily long, the corresponding usb_bulk_msg() call will wait unkillably, hanging a kernel thread indefinitely.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the latest stable kernel can be found on the official Linux kernel website.