Linux Kernel Usblp Driver Heap Leak Vulnerability in IEEE 1284 Device ID Handling

A heap memory leak vulnerability has been identified in the Linux kernel usblp driver, specifically in the management of IEEE 1284 device IDs. This issue arises because the usblp_ctrl_msg function improperly handles the return value of usb_control_msg, discarding the actual number of bytes transferred. As a result, a malfunctioning printer can complete the GET_DEVICE_ID control transfer prematurely, leaving the driver unaware of the issue. The usblp_cache_device_id_string function reads a 2-byte big-endian length prefix from the response and blindly trusts it, with only a buffer bounds clamp for validation. The buffer is allocated 1024 bytes at probe time. If a device sends exactly two bytes, claiming a 1023-byte ID, the driver inadvertently exposes stale data from the memory heap through the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. This vulnerability allows up to 1021 bytes of uninitialized heap data to be leaked, with the amount determined by the device.

Impact

Exploitation of this vulnerability leads to a heap memory leak, where uninitialized data from the memory heap is exposed to user space, potentially allowing for further exploitation or information disclosure.

Reproduction

To reproduce this vulnerability, use a broken printer that can send a short response during the GET_DEVICE_ID control transfer. The usblp driver will not be able to detect the incomplete transfer, leading to a heap leak. This can be verified by checking the ieee1284_id sysfs attribute or using the IOCNR_GET_DEVICE_ID ioctl, both of which will expose the stale heap data.

Remediation

The vulnerability has been fixed by clearing the device_id_string buffer with zeros before each request to the printer. Users should update to the latest version of the Linux kernel where this fix has been applied.