Unrated severityNVD Advisory· Published Mar 22, 2013· Updated Apr 29, 2026
CVE-2013-1860
CVE-2013-1860
Description
Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device.
Affected products
4cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
Patches
1c0f5ecee4e74USB: cdc-wdm: fix buffer overflow
1 file changed · +20 −3
drivers/usb/class/cdc-wdm.c+20 −3 modified@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); #define WDM_RESPONDING 7 #define WDM_SUSPENDING 8 #define WDM_RESETTING 9 +#define WDM_OVERFLOW 10 #define WDM_MAX 16 @@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb) { struct wdm_device *desc = urb->context; int status = urb->status; + int length = urb->actual_length; spin_lock(&desc->iuspin); clear_bit(WDM_RESPONDING, &desc->flags); @@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb) } desc->rerr = status; - desc->reslength = urb->actual_length; - memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); - desc->length += desc->reslength; + if (length + desc->length > desc->wMaxCommand) { + /* The buffer would overflow */ + set_bit(WDM_OVERFLOW, &desc->flags); + } else { + /* we may already be in overflow */ + if (!test_bit(WDM_OVERFLOW, &desc->flags)) { + memmove(desc->ubuf + desc->length, desc->inbuf, length); + desc->length += length; + desc->reslength = length; + } + } skip_error: wake_up(&desc->wait); @@ -435,6 +445,11 @@ static ssize_t wdm_read rv = -ENODEV; goto err; } + if (test_bit(WDM_OVERFLOW, &desc->flags)) { + clear_bit(WDM_OVERFLOW, &desc->flags); + rv = -ENOBUFS; + goto err; + } i++; if (file->f_flags & O_NONBLOCK) { if (!test_bit(WDM_READ, &desc->flags)) { @@ -478,6 +493,7 @@ static ssize_t wdm_read spin_unlock_irq(&desc->iuspin); goto retry; } + if (!desc->reslength) { /* zero length read */ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); clear_bit(WDM_READ, &desc->flags); @@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf) struct wdm_device *desc = wdm_find_device(intf); int rv; + clear_bit(WDM_OVERFLOW, &desc->flags); clear_bit(WDM_RESETTING, &desc->flags); rv = recover_from_urb_loss(desc); mutex_unlock(&desc->wlock);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/torvalds/linux/commit/c0f5ecee4e741667b2493c742b60b6218d40b3aanvdExploitPatchVendor Advisory
- git.kernel.orgnvdVendor Advisory
- rhn.redhat.com/errata/RHSA-2014-0328.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2014-0339.htmlnvdThird Party Advisory
- www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.4nvdVendor Advisory
- www.openwall.com/lists/oss-security/2013/03/15/3nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/58510nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-1809-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-1811-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-1812-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-1813-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-1814-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-1829-1nvdThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party Advisory
- www.mandriva.com/security/advisoriesnvdBroken Link
News mentions
0No linked articles in our index yet.