CVE-2023-54110

Vulnerability

Description

In the Linux kernel's USB RNDIS host driver (rndis_host), the rndis_query function contains an integer overflow vulnerability. The variables off and len, both of type uint32, are derived from an incoming RNDIS response message and are therefore attacker-controlled. By setting off to an unexpectedly large value, the sum off + len + 8 can overflow a 32-bit integer, bypassing the intended bounds check. This allows the response pointer to reference memory beyond the expected buffer boundaries.

Exploitation

An attacker with the ability to send a malicious RNDIS response to a system using the RNDIS host driver can trigger this vulnerability. No authentication is required if the attacker can communicate with the USB RNDIS device (e.g., via a compromised or malicious USB gadget). The overflow occurs during the validation step, enabling the attacker to cause the driver to read from an arbitrary offset within the response buffer or beyond it.

Impact

Successful exploitation leads to an out-of-bounds read, which can leak sensitive kernel memory. The description specifically mentions information leakage via the RNDIS_OID_802_3_PERMANENT_ADDRESS OID, which could expose the device's MAC address or other data stored adjacent to the intended buffer. This information leakage may aid in further attacks or compromise system privacy.

Mitigation

The vulnerability has been fixed in the Linux kernel stable tree. The commits referenced in [1], [2], [3], and [4] address the issue by adding proper overflow checks. Users should update their kernel to a version containing these fixes. No workaround is available; applying the patch is the recommended course of action.