CVE-2022-50876

Root

Cause

The vulnerability resides in the musb_gadget.c file of the Linux kernel's USB MUSB (Multi-function USB Peripheral Controller) driver. When musb_gadget_queue() adds a USB request to musb_ep::req_list, if request->length > musb_ep->packet_sz and is_buffer_mapped(req) returns false, the rxstate() function copies all data from the FIFO into request->buf without checking that the buffer can hold the incoming data [1][2][3]. This results in an out-of-bounds write on request->buf.

Exploitation

An attacker with physical USB access or the ability to send crafted USB control/transfer requests to a device using the affected MUSB driver can trigger this flaw. No special privileges are required beyond the ability to interact with the USB peripheral interface, making the attack surface accessible to unauthenticated users in proximity.

Impact

Successful exploitation leads to a buffer overflow, which can corrupt kernel memory. This may cause a system crash (denial of service) or, under specific conditions, allow an attacker to execute arbitrary code in the kernel context, compromising the entire system.

Mitigation

The fix adds a length check: fifocnt = min_t(unsigned, request->length - request->actual, fifocnt), ensuring that no more data is copied than the remaining buffer space allows [1][2][3]. Users should apply the stable kernel updates containing this commit.