A critical vulnerability exists in the USB audio driver of the Linux kernel that may lead to out-of-bounds memory reads. This vulnerability has been patched by Takashi Iwai from SUSE. If an attacker gains physical access to the system, they can exploit malicious USB devices to achieve privilege escalation, tamper with system memory, or execute arbitrary code.
The Linux Foundation’s Greg Kroah-Hartman submitted a patch on December 14, 2024, which significantly enhances the stability and security of drivers using USB audio devices.
01
Attack Principle
The vulnerability is triggered when the bLength value in the descriptor provided by the USB audio device is less than the expected structure size. The original code in the driver blindly assumes the descriptor is complete and attempts to read fields such as its clock ID or pin array.
If the descriptor is truncated due to hardware defects or human tampering, the driver may read beyond the allocated memory buffer into adjacent non-target areas. This out-of-bounds read could leak sensitive data from kernel memory (such as pointers or user information) or cause the system to crash by accessing invalid memory addresses.
In the worst-case scenario, a skilled attacker could combine this with other vulnerabilities to achieve privilege escalation or arbitrary code execution, but such attacks require precise control over the USB device and the presence of other vulnerabilities.
02
Security Enhancements
This vulnerability arises from the driver not validating the bLength field of the clock descriptor provided by the USB audio device. Without these checks, malformed or maliciously constructed descriptors with insufficient length could trigger out-of-bounds memory access, leading to system crashes or attacks.
The patch (commit ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9) introduces strict integrity checks in the clock descriptor validation function. Although it only modifies 24 lines of code in the sound/usb/clock.c file, it has a significant impact on enthusiasts, developers, and businesses relying on Linux for audio processing.
The vulnerability was initially reported by BenoƮt Sevens from Google, and the patch has been backported to the stable kernel branch to ensure that users of various distributions can benefit from the security enhancements. The clock selector descriptor (which includes variable-length arrays and additional fields) has undergone more comprehensive validation for USB Audio Class (UAC) versions 2 and 3.
Users can update their kernels to obtain this patch by downloading linux-ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9.tar.gz. This development reflects the Linux community’s ongoing commitment to rapidly fixing vulnerabilities and maintaining system robustness.