CVE-2016-20022

Vulnerability

Description

The Linux kernel before version 4.8 contains a vulnerability in the USB subsystem, specifically in usb_parse_endpoint within drivers/usb/core/config.c. The function fails to validate the wMaxPacketSize field of USB endpoint descriptors, allowing a malicious USB device to advertise an excessively large maximum packet size. This oversight can lead to memory corruption or resource exhaustion when the kernel attempts to allocate resources based on the invalid value [1].

Exploitation

Scenario

An attacker with physical access to the system can exploit this by connecting a crafted USB device, such as a HID keyboard emulated via tools like Facedancer and UMAP. For example, when the OHCI (USB 1.1) controller driver processes a device claiming to be a HID keyboard with a wMaxPacketSize over 4095, the driver fails to reserve bandwidth properly. This can trigger a kernel panic later when the device is removed, due to a null pointer dereference in a linked list of endpoint descriptors [2].

Impact

Successful exploitation results in a denial of service (system crash) via kernel panic. The CVE description and references note that no pointer disclosure or privilege escalation is achieved, but the impact is local system unavailability. Systems using OHCI controllers (common in USB 1.1/2.0 hardware) are affected, while xHCI (USB 3.0) controllers are immune to this specific bug [2].

Mitigation

The fix was committed in commit aed9d65ac3278d4febd8665bd7db59ef53e825fe to the Linux kernel, which adds validation tables for maximum allowed packet sizes per endpoint type and speed (low, full, high, super speed). This ensures that wMaxPacketSize is checked against legal maximums, rejecting invalid descriptors [1]. Users should upgrade to Linux kernel 4.8 or later. The vendor notes that this vulnerability only affects products that are no longer supported, implying that long-term supported kernel branches may already include or backport the fix.