In USB Gadget, a kernel subsystem LinuxA vulnerability (CVE-2021-39685) has been identified in the USB Gadget API, which provides a software interface for creating client USB devices and simulating USB devices. This vulnerability could lead to kernel information leakage, crash, or arbitrary code execution at the kernel level. The attack is carried out by an unprivileged local user through manipulation of various device classes implemented using the USB Gadget API, such as rndis, hid, uac1, uac1_legacy, and uac2.
The issue has been fixed in kernel updates published recently. Linux 5.15.8, 5.10.85, 5.4.165, 4.19.221, 4.14.258, 4.9.293 and 4.4.295. The problem remains unfixed in the distributions (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch). A prototype exploit has been prepared to demonstrate the vulnerability.
The problem is caused by a buffer overflow in the data transfer request handlers in the rndis, hid, uac1, uac1_legacy, and uac2 gadget drivers. As a result of exploiting the vulnerability, an unprivileged attacker can gain access to the kernel memory by sending a special control request with a wLength field value that exceeds the size of the static buffer, for which 4096 bytes are always allocated (USB_COMP_EP0_BUFSIZ). During the attack, an unprivileged user-space process can read or write up to 65 KB of data into kernel memory.
Source: opennet.ru
