Linux Kernel Division by Zero Vulnerability in USB Audio Driver

A vulnerability in the Linux kernel's USB audio driver for the Edirol UA-101 device can lead to a kernel crash. This issue arises from a division by zero error in the URB (USB Request Block) completion handlers. The root cause is a missing sanity check for the 'bNrChannels' field in the USB format detection function. When a device reports zero channels, it creates a scenario where the frame bytes calculation results in zero, which is then improperly used as a divisor, causing a crash. The USB core does not validate this class-specific descriptor, leaving it to drivers to ensure its correctness before use.

Impact

Exploitation of this vulnerability causes a kernel crash, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, connect an Edirol UA-101 device that reports zero channels in its class-specific descriptor. The absence of channel data will trigger the division by zero error in the USB audio driver's completion handlers, causing a kernel crash.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the documentation for the specific Linux distribution in use.