A critical vulnerability exists in the USB audio driver of the Linux kernel that may lead to out-of-bounds memory reads. This vulnerability has been patched by Takashi Iwai from SUSE. If an attacker gains physical access to the system, they can exploit malicious USB devices to escalate privileges, tamper with system memory, or execute arbitrary code.
The fix submitted by Greg Kroah-Hartman of the Linux Foundation on December 14, 2024, significantly enhances the stability and security of drivers using USB audio devices.
01
Attack Principle
The vulnerability is triggered when the bLength value in the descriptor provided by the USB audio device is less than the expected structure size. The original code in the driver blindly assumes the descriptor is complete and attempts to read fields such as the clock ID or pin array.
If the descriptor is truncated due to hardware defects or human tampering, the driver may read beyond the allocated memory buffer, accessing adjacent non-target areas. This out-of-bounds read could leak sensitive data from kernel memory (such as pointers or user information) or cause the system to crash by accessing invalid memory addresses.
In the worst-case scenario, a skilled attacker could combine this with other vulnerabilities to achieve privilege escalation or arbitrary code execution, but such attacks require precise control over the USB device and the presence of other vulnerabilities.
02
Security Enhancements
This vulnerability arises from the driver not validating the bLength field of the clock descriptor provided by the USB audio device. Without these checks, malformed or maliciously constructed descriptors with insufficient length could trigger out-of-bounds memory access, leading to system crashes or attacks.
The patch (commit ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9) introduces strict integrity checks in the clock descriptor validation function. Although it modifies only 24 lines of code in the sound/usb/clock.c file, it has significant implications for enthusiasts, developers, and businesses relying on Linux for audio processing.
The vulnerability was initially reported by Benoît Sevens from Google, and the patch has been backported to the stable kernel branch to ensure that users of various distributions can benefit from the security enhancements. The clock selector descriptor (which includes variable-length arrays and additional fields) has undergone more comprehensive validation for USB Audio Class (UAC) versions 2 and 3.
Users can update their kernels to obtain this patch by downloading linux-ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9.tar.gz. This development reflects the Linux community’s ongoing commitment to rapidly fixing vulnerabilities and maintaining system robustness.
