A vulnerability ( CVE-2021-39685 ) has been identified in USB Gadget , a subsystem of the Linux kernel that provides a programming interface for creating client USB devices and software simulation of USB devices that could lead to a kernel leak, crash, or arbitrary code execution at the kernels. The attack is carried out by an unprivileged local user through manipulation of various device classes implemented on the basis of the USB Gadget API, such as rndis, hid, uac1, uac1_legacy, and uac2.
The problem has been fixed in the Linux kernel updates 5.15.8 , 5.10.85, 5.4.165, 4.19.221, 4.14.258, 4.9.293 and 4.4.295 published the other day . In distributions, the problem remains unresolved ( Debian , Ubuntu , RHEL , SUSE , Fedora , Arch ). An exploit prototype has been prepared to demonstrate the vulnerability .
The problem is caused by a buffer overflow in the transfer request handlers in the rndis, hid, uac1, uac1_legacy, and uac2 gadget drivers. As a result of exploiting the vulnerability, an unprivileged attacker can gain access to kernel memory by sending a special control request with a wLength field value that exceeds the size of the static buffer, for which 4096 bytes are always allocated (USB_COMP_EP0_BUFSIZ). An attack can read or write up to 65 KB of data into kernel memory from an unprivileged process in user space.
