A vulnerability (CVE-2021-39685) has been identified in USB Gadget, a subsystem of the Linux kernel that provides a programming interface for creating USB client devices and software simulation of USB devices, that could lead to a kernel leak, crash, or arbitrary code execution at the kernels. The attack is carried out by an unprivileged local user through the manipulation of various device classes implemented on the basis of the USB Gadget API, such as rndis, hid, uac1, uac1_legacy and uac2.
The issue has been fixed in Linux kernel updates 5.15.8, 5.10.85, 5.4.165, 4.19.221, 4.14.258, 4.9.293, and 4.4.295 published recently. In distributions, the problem still remains unfixed (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch). An exploit prototype has been prepared to demonstrate the vulnerability.
The problem is caused by a buffer overflow in the data transfer request handlers in the rndis, hid, uac1, uac1_legacy, and uac2 gadget drivers. As a result of exploiting the vulnerability, an unprivileged attacker can gain access to the kernel memory by sending a special control request with a wLength field value that exceeds the size of the static buffer, for which 4096 bytes are always allocated (USB_COMP_EP0_BUFSIZ). During the attack, an unprivileged user-space process can read or write up to 65 KB of data into kernel memory.
Source: opennet.ru